Re: [RFC PATCH 2/2] hw/sd/sdcard: Deprecate the SPI mode

[Peter Krempa]

On Mon, Jul 06, 2020 at 00:07:31 +0200, Philippe Mathieu-Daudé wrote:
> SD cards be used with SPI, SD or MMC protocol.
> 
> Unfortunately, maintaining the SPI protocol make improving the
> MMC mode very difficult. As of 2020 users are more interested
> in using cards with the MMC protocol.
> 
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
>  docs/system/deprecated.rst | 5 +
>  1 file changed, 5 insertions(+)
> 
> diff --git a/docs/system/deprecated.rst b/docs/system/deprecated.rst
> index 5e67d7f3e0..01dca3d038 100644
> --- a/docs/system/deprecated.rst
> +++ b/docs/system/deprecated.rst
> @@ -384,6 +384,11 @@ full SCSI support.  Use virtio-scsi instead when SCSI 
> passthrough is required.
>  Note this also applies to ``-device virtio-blk-pci,scsi=on|off``, which is an
>  alias.
>  
> +``-device sd-card,spi=on`` (since 5.1)
> +^^
> +
> +The SPI mode of the 'sd-card' device is deprecated.

libvirt didn't implement this knob so it's okay to remove it without
replacement.

ACKed-by: Peter Krempa 

Re: [PATCH] MAINTAINERS: update nvme entry

[Klaus Jensen]

On Jul  7 08:30, Philippe Mathieu-Daudé wrote:
> On 7/6/20 9:43 PM, Keith Busch wrote:
> > The nvme emulated device development pace has increased recently.  Klaus
> > has offered to co-maintain, and since we have many new contributions
> > coming through, we're adding a repository to accumulate and test new
> > features.
> 
> Thanks Klaus for helping!
> 
> > 
> > Cc: Klaus Jensen 
> > Signed-off-by: Keith Busch 
> > ---
> >  MAINTAINERS | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/MAINTAINERS b/MAINTAINERS
> > index c31c878c63..fbeba04dc5 100644
> > --- a/MAINTAINERS
> > +++ b/MAINTAINERS
> > @@ -1793,10 +1793,12 @@ F: include/hw/virtio/virtio-crypto.h
> >  
> >  nvme
> >  M: Keith Busch 
> > +M: Klaus Jensen 
> 
> Is that the correct email you want to use?
> 

Yes that is correct. I prefer getting CC'ed on that address, but yes, I
sign off with and use my @samsung.com address for commits.

> Regardless:
> Reviewed-by: Philippe Mathieu-Daudé 
> 
> >  L: qemu-bl...@nongnu.org
> >  S: Supported
> >  F: hw/block/nvme*
> >  F: tests/qtest/nvme-test.c
> > +T: git git://git.infradead.org/qemu-nvme.git nvme-next
> >  
> >  megasas
> >  M: Hannes Reinecke 
> > 
> 
> 

[RFC PATCH 3/3] target/avr: Fix SBRC/SBRS instructions

[Philippe Mathieu-Daudé]

SBRC/SBRS instructions seem to be inverted.

Signed-off-by: Philippe Mathieu-Daudé 
---
 target/avr/translate.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/avr/translate.c b/target/avr/translate.c
index fe03e676df..2f77fe3ba7 100644
--- a/target/avr/translate.c
+++ b/target/avr/translate.c
@@ -1385,7 +1385,7 @@ static bool trans_SBRC(DisasContext *ctx, arg_SBRC *a)
 {
 TCGv Rr = cpu_r[a->rr];
 
-ctx->skip_cond = TCG_COND_EQ;
+ctx->skip_cond = TCG_COND_NE;
 ctx->skip_var0 = tcg_temp_new();
 ctx->free_skip_var0 = true;
 
@@ -1401,7 +1401,7 @@ static bool trans_SBRS(DisasContext *ctx, arg_SBRS *a)
 {
 TCGv Rr = cpu_r[a->rr];
 
-ctx->skip_cond = TCG_COND_NE;
+ctx->skip_cond = TCG_COND_EQ;
 ctx->skip_var0 = tcg_temp_new();
 ctx->free_skip_var0 = true;
 
-- 
2.21.3

Re: [RFC PATCH 1/2] hw/sd/ssi-sd: Deprecate the SPI to SD card 'adapter'

[Peter Krempa]

On Mon, Jul 06, 2020 at 00:07:30 +0200, Philippe Mathieu-Daudé wrote:
> This device duplicate the SPI mode of the sd-card device. The
> SPI protocol is better handler in the sd-card, however as the
> TYPE_SSI_SLAVE is not an interface, the sd-card can not implement
> it easily to be pluggable on a SPI bus. Meanwhile the ssi-sd
> device acts as a bridge, but is bitroting. Deprecate it.
> 
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
>  docs/system/deprecated.rst | 5 +
>  1 file changed, 5 insertions(+)
> 
> diff --git a/docs/system/deprecated.rst b/docs/system/deprecated.rst
> index 47f84be8e0..5e67d7f3e0 100644
> --- a/docs/system/deprecated.rst
> +++ b/docs/system/deprecated.rst
> @@ -343,6 +343,11 @@ The 'ide-drive' device is deprecated. Users should use 
> 'ide-hd' or
>  The 'scsi-disk' device is deprecated. Users should use 'scsi-hd' or
>  'scsi-cd' as appropriate to get a SCSI hard disk or CD-ROM as needed.
>  
> +``ssi-sd`` (since 5.1)
> +'
> +
> +The 'ssi-sd' (SSI to SD card adapter) device is deprecated.

libvirt didn't allow configuring this device yet, so from our view it's
okay to remove it.

ACKed-by: Peter Krempa 

[PATCH 0/3] target/avr: Few fixes

[Philippe Mathieu-Daudé]

Few fixes on top of the AVR merger series Thomas sent yesterday:

https://www.mail-archive.com/qemu-devel@nongnu.org/msg720089.html
Based-on: <20200705140315.260514-1-h...@tuxfamily.org>

Philippe Mathieu-Daudé (3):
  target/avr: Drop tlb_flush() in avr_cpu_reset()
  target/avr: Fix $PC displayed address
  target/avr: Fix SBRC/SBRS instructions

 target/avr/cpu.c   | 4 +---
 target/avr/translate.c | 4 ++--
 2 files changed, 3 insertions(+), 5 deletions(-)

-- 
2.21.3

[PATCH 2/3] target/avr: Fix $PC displayed address

[Philippe Mathieu-Daudé]

$PC is 16-bit wide. Other registers display addresses on a byte
granularity.
To have a coherent ouput, display $PC using byte granularity too.

Signed-off-by: Philippe Mathieu-Daudé 
---
 target/avr/cpu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/avr/cpu.c b/target/avr/cpu.c
index 50fb1c378b..9be464991f 100644
--- a/target/avr/cpu.c
+++ b/target/avr/cpu.c
@@ -151,7 +151,7 @@ static void avr_cpu_dump_state(CPUState *cs, FILE *f, int 
flags)
 int i;
 
 qemu_fprintf(f, "\n");
-qemu_fprintf(f, "PC:%06x\n", env->pc_w);
+qemu_fprintf(f, "PC:%06x\n", env->pc_w * 2);
 qemu_fprintf(f, "SP:  %04x\n", env->sp);
 qemu_fprintf(f, "rampD: %02x\n", env->rampD >> 16);
 qemu_fprintf(f, "rampX: %02x\n", env->rampX >> 16);
-- 
2.21.3

[PATCH 1/3] target/avr: Drop tlb_flush() in avr_cpu_reset()

[Philippe Mathieu-Daudé]

Since commit 1f5c00cfdb tlb_flush() is called from cpu_common_reset().

Signed-off-by: Philippe Mathieu-Daudé 
---
 target/avr/cpu.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/target/avr/cpu.c b/target/avr/cpu.c
index 4e4dd4f6aa..50fb1c378b 100644
--- a/target/avr/cpu.c
+++ b/target/avr/cpu.c
@@ -78,8 +78,6 @@ static void avr_cpu_reset(DeviceState *ds)
 env->skip = 0;
 
 memset(env->r, 0, sizeof(env->r));
-
-tlb_flush(cs);
 }
 
 static void avr_cpu_disas_set_info(CPUState *cpu, disassemble_info *info)
-- 
2.21.3

Re: [PATCH 2/6] migration: introduce savevm, loadvm, delvm QMP commands

[Peter Krempa]

On Mon, Jul 06, 2020 at 18:15:55 +0200, Kevin Wolf wrote:
> Am 03.07.2020 um 18:02 hat Daniel P. Berrangé geschrieben:
> > On Fri, Jul 03, 2020 at 04:49:33PM +0100, Dr. David Alan Gilbert wrote:
> > > * Daniel P. Berrangé (berra...@redhat.com) wrote:
> > > > On Thu, Jul 02, 2020 at 01:12:52PM -0500, Eric Blake wrote:
> > > > > On 7/2/20 12:57 PM, Daniel P. Berrangé wrote:

[...]

> > migration only does vmstate, not disks. The current blockdev commands
> > are all related to external snapshots, nothing for internal snapshots
> > AFAIK. So we still need commands to load/save internal snapshots of
> > the disk data in the qcow2 files.
> > 
> > So we could look at loadvm/savevm conceptually as a syntax sugar above
> > a migration transport that targets disk images, and blockdev QMP command
> > that can do internal snapshots. Neither of these exist though and feel
> > like a significantly larger amount of work than using existing functionality
> > that is currently working.
> 
> There is blockdev-snapshot-internal-sync, which does a disk-only
> snapshot of a single node. A snapshot of multiple nodes can be taken by
> putting multiple blockdev-snapshot-internal-sync inside a 'transaction'
> command.

Libvirt never implemented support for disk-only internal snapshots as I
didn't think they are worth it. We also made a mistake by using the
VIR_DOMAIN_SNAPSHOT_DISK_ONLY to switch to an external snapshot, so
while the XML can modify the snapshot to be internal it's not very clear
nor user-friendly to force an internal disk only snapshot.

> If we want to build on top of this, we'd have to implement a
> transactionable command for storing only the VM state to a specific
> node. This would probably still be a long-running job.

IMO we really want this also for external snapshots. Driving the
migration as standard migration is really suboptimal especially when the
user wants minimal downtime. Transactioning a post-copy style copy-on
write migration would simplify this a lot. I agree though that this is
for a different conversation.

Re: [PATCH] MAINTAINERS: update nvme entry

[Philippe Mathieu-Daudé]

On 7/6/20 9:43 PM, Keith Busch wrote:
> The nvme emulated device development pace has increased recently.  Klaus
> has offered to co-maintain, and since we have many new contributions
> coming through, we're adding a repository to accumulate and test new
> features.

Thanks Klaus for helping!

> 
> Cc: Klaus Jensen 
> Signed-off-by: Keith Busch 
> ---
>  MAINTAINERS | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/MAINTAINERS b/MAINTAINERS
> index c31c878c63..fbeba04dc5 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -1793,10 +1793,12 @@ F: include/hw/virtio/virtio-crypto.h
>  
>  nvme
>  M: Keith Busch 
> +M: Klaus Jensen 

Is that the correct email you want to use?

Regardless:
Reviewed-by: Philippe Mathieu-Daudé 

>  L: qemu-bl...@nongnu.org
>  S: Supported
>  F: hw/block/nvme*
>  F: tests/qtest/nvme-test.c
> +T: git git://git.infradead.org/qemu-nvme.git nvme-next
>  
>  megasas
>  M: Hannes Reinecke 
> 

[PATCH] hw/register: Document register_init_block @memory_size

[Philippe Mathieu-Daudé]

Document the 'memory_size' argument of register_init_block().

Fixes: a74229597e ("register: Add block initialise helper")
Signed-off-by: Philippe Mathieu-Daudé 
---
 include/hw/register.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/include/hw/register.h b/include/hw/register.h
index 5d2c565ae0..fdac5e69b5 100644
--- a/include/hw/register.h
+++ b/include/hw/register.h
@@ -181,6 +181,7 @@ uint64_t register_read_memory(void *opaque, hwaddr addr, 
unsigned size);
  * @data: Array to use for register data, must already be allocated
  * @ops: Memory region ops to access registers.
  * @debug enabled: turn on/off verbose debug information
+ * @memory_size: Size of the memory region
  * returns: A structure containing all of the registers and an initialized
  *  memory region (r_array->mem) the caller should add to a container.
  */
-- 
2.21.3

Re: [PATCH] MAINTAINERS: update nvme entry

[Klaus Jensen]

On Jul  6 12:43, Keith Busch wrote:
> The nvme emulated device development pace has increased recently.  Klaus
> has offered to co-maintain, and since we have many new contributions
> coming through, we're adding a repository to accumulate and test new
> features.
> 
> Cc: Klaus Jensen 
> Signed-off-by: Keith Busch 

Acked-by: 

> ---
>  MAINTAINERS | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/MAINTAINERS b/MAINTAINERS
> index c31c878c63..fbeba04dc5 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -1793,10 +1793,12 @@ F: include/hw/virtio/virtio-crypto.h
>  
>  nvme
>  M: Keith Busch 
> +M: Klaus Jensen 
>  L: qemu-bl...@nongnu.org
>  S: Supported
>  F: hw/block/nvme*
>  F: tests/qtest/nvme-test.c
> +T: git git://git.infradead.org/qemu-nvme.git nvme-next
>  
>  megasas
>  M: Hannes Reinecke 
> -- 
> 2.24.1
> 
> 

Re: [PATCH v2] util/qemu-option: Document the get_opt_value() function

[Philippe Mathieu-Daudé]

On 7/7/20 7:48 AM, Markus Armbruster wrote:
> Philippe Mathieu-Daudé  writes:
> 
>> Coverity noticed commit 950c4e6c94 introduced a dereference before
>> null check in get_opt_value (CID1391003):
>>
>>   In get_opt_value: All paths that lead to this null pointer
>>   comparison already dereference the pointer earlier (CWE-476)
>>
>> We fixed this in commit 6e3ad3f0e31, but relaxed the check in commit
>> 0c2f6e7ee99 because "No callers of get_opt_value() pass in a NULL
>> for the 'value' parameter".
>>
>> Since this function is publicly exposed, it risks new users to do
>> the same error again. Avoid that documenting the 'value' argument
>> must not be NULL.
>>
>> Signed-off-by: Philippe Mathieu-Daudé 
>> ---
>> v2: Drop confuse comment (Damien Hedde)
>> ---
>>  include/qemu/option.h | 13 +
>>  1 file changed, 13 insertions(+)
>>
>> diff --git a/include/qemu/option.h b/include/qemu/option.h
>> index eb4097889d..ac50d25774 100644
>> --- a/include/qemu/option.h
>> +++ b/include/qemu/option.h
>> @@ -28,6 +28,19 @@
>>  
>>  #include "qemu/queue.h"
>>  
>> +/**
>> + * get_opt_value
>> + * @p: a pointer to the option name, delimited by commas
>> + * @value: a non-NULL pointer that will received the delimited options
> 
> s/received/receive/
> 
>> + *
>> + * The @value char pointer will be allocated and filled with
>> + * the delimited options.
>> + *
>> + * Returns the position of the comma delimiter/zero byte after the
>> + * option name in @p.
>> + * The memory pointer in @value must be released with a call to g_free()
>> + * when no longer required.
>> + */
>>  const char *get_opt_value(const char *p, char **value);
>>  
>>  void parse_option_size(const char *name, const char *value,
> 
> You are adding a *second* doc comment: the definition already has one.
> It's clearer than yours on some things, and less explicit on others.
> Feel free to improve or replace it.  But do put it next to the
> definition.

Hmm I haven't noticed it, because my reflex is to look at the usage
description in the prototype declaration, not in the implementation.

I know, 2 different schools.

Maybe we can make both schools less unhappy by simply duplicating the
function description in both the header and the source files...

> 
> I'm not trying to re-argue where to put doc comments.

We could, because the origin of both this patch and the commits
referenced that produced CID1391003.

> I *am* arguing
> for local consistency while we lack global consistency.  For code I
> maintain, I insist on local consistency.
> 
> The code belonging to MAINTAINERS section "Command line option argument
> parsing" has doc comments next to the definition.  Except for
> qemu_opt_has_help_opt(), which predates my maintainer mandate.
> 
Please disregard this patch, I don't mind about get_opt_value().

Re: [PATCH v2] util/qemu-option: Document the get_opt_value() function

[Markus Armbruster]

Philippe Mathieu-Daudé  writes:

> Coverity noticed commit 950c4e6c94 introduced a dereference before
> null check in get_opt_value (CID1391003):
>
>   In get_opt_value: All paths that lead to this null pointer
>   comparison already dereference the pointer earlier (CWE-476)
>
> We fixed this in commit 6e3ad3f0e31, but relaxed the check in commit
> 0c2f6e7ee99 because "No callers of get_opt_value() pass in a NULL
> for the 'value' parameter".
>
> Since this function is publicly exposed, it risks new users to do
> the same error again. Avoid that documenting the 'value' argument
> must not be NULL.
>
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
> v2: Drop confuse comment (Damien Hedde)
> ---
>  include/qemu/option.h | 13 +
>  1 file changed, 13 insertions(+)
>
> diff --git a/include/qemu/option.h b/include/qemu/option.h
> index eb4097889d..ac50d25774 100644
> --- a/include/qemu/option.h
> +++ b/include/qemu/option.h
> @@ -28,6 +28,19 @@
>  
>  #include "qemu/queue.h"
>  
> +/**
> + * get_opt_value
> + * @p: a pointer to the option name, delimited by commas
> + * @value: a non-NULL pointer that will received the delimited options

s/received/receive/

> + *
> + * The @value char pointer will be allocated and filled with
> + * the delimited options.
> + *
> + * Returns the position of the comma delimiter/zero byte after the
> + * option name in @p.
> + * The memory pointer in @value must be released with a call to g_free()
> + * when no longer required.
> + */
>  const char *get_opt_value(const char *p, char **value);
>  
>  void parse_option_size(const char *name, const char *value,

You are adding a *second* doc comment: the definition already has one.
It's clearer than yours on some things, and less explicit on others.
Feel free to improve or replace it.  But do put it next to the
definition.

I'm not trying to re-argue where to put doc comments.  I *am* arguing
for local consistency while we lack global consistency.  For code I
maintain, I insist on local consistency.

The code belonging to MAINTAINERS section "Command line option argument
parsing" has doc comments next to the definition.  Except for
qemu_opt_has_help_opt(), which predates my maintainer mandate.

Re: [PATCH v2] util/qemu-option: Document the get_opt_value() function

[Thomas Huth]

On 07/07/2020 07.35, Markus Armbruster wrote:
> Richard Henderson  writes:
> 
>> On 6/29/20 12:08 AM, Philippe Mathieu-Daudé wrote:
>>> Coverity noticed commit 950c4e6c94 introduced a dereference before
>>> null check in get_opt_value (CID1391003):
>>>
>>>   In get_opt_value: All paths that lead to this null pointer
>>>   comparison already dereference the pointer earlier (CWE-476)
>>>
>>> We fixed this in commit 6e3ad3f0e31, but relaxed the check in commit
>>> 0c2f6e7ee99 because "No callers of get_opt_value() pass in a NULL
>>> for the 'value' parameter".
>>>
>>> Since this function is publicly exposed, it risks new users to do
>>> the same error again. Avoid that documenting the 'value' argument
>>> must not be NULL.
>>
>> I think we should also add some use of __attribute__((nonnull(...))) to 
>> enforce
>> this within the compiler.
>>
>> I recently did this without a qemu/compiler.h QEMU_FOO wrapper within
>> target/arm.  But the nonnull option has optional arguments, so it might be
>> difficult to wrap in macros.
> 
> Do we support building with a compuler that lacks this attribute?

It seems to be available in GCC 4.0 already:

https://gcc.gnu.org/onlinedocs/gcc-4.0.0/gcc/Function-Attributes.html

... so the answer to your question is certainly "no". All supported
compilers should have this attribute.

 Thomas

Re: [PATCH v2] util/qemu-option: Document the get_opt_value() function

[Markus Armbruster]

Richard Henderson  writes:

> On 6/29/20 12:08 AM, Philippe Mathieu-Daudé wrote:
>> Coverity noticed commit 950c4e6c94 introduced a dereference before
>> null check in get_opt_value (CID1391003):
>> 
>>   In get_opt_value: All paths that lead to this null pointer
>>   comparison already dereference the pointer earlier (CWE-476)
>> 
>> We fixed this in commit 6e3ad3f0e31, but relaxed the check in commit
>> 0c2f6e7ee99 because "No callers of get_opt_value() pass in a NULL
>> for the 'value' parameter".
>> 
>> Since this function is publicly exposed, it risks new users to do
>> the same error again. Avoid that documenting the 'value' argument
>> must not be NULL.
>
> I think we should also add some use of __attribute__((nonnull(...))) to 
> enforce
> this within the compiler.
>
> I recently did this without a qemu/compiler.h QEMU_FOO wrapper within
> target/arm.  But the nonnull option has optional arguments, so it might be
> difficult to wrap in macros.

Do we support building with a compuler that lacks this attribute?

Re: Slow down with: 'Make "info qom-tree" show children sorted'

[Markus Armbruster]

Philippe Mathieu-Daudé  writes:

> On 7/7/20 6:45 AM, Thomas Huth wrote:
>> On 27/05/2020 10.47, Markus Armbruster wrote:
>>> "info qom-tree" prints children in unstable order.  This is a pain
>>> when diffing output for different versions to find change.  Print it
>>> sorted.
>>>
>>> Signed-off-by: Markus Armbruster 
>>> ---
>>>  qom/qom-hmp-cmds.c | 24 
>>>  1 file changed, 16 insertions(+), 8 deletions(-)
>> 
>>  Hi Markus,
>> 
>> this patch causes a slow down of the qtests which becomes quite massive
>> when e.g. using the ppc64 and thourough testing. When I'm running
>> 
>> QTEST_QEMU_BINARY="ppc64-softmmu/qemu-system-ppc64" time \
>> ./tests/qtest/device-introspect-test -m slow | tail -n 10
>> 
>> the test runs for ca. 6m40s here before the patch got applied, and for
>> mor than 20 minutes after the patch got applied!

That's surprising.

> Argh, yesterday I reviewed again all the range except this patch... not
> sure why as looking at it now it is obvious.
>
>> This causes our gitlab CI to constantly fail since the patch got merged,
>> since the testing time now exceeds the 1h time limit:
>> 
>>  https://gitlab.com/qemu-project/qemu/-/pipelines/156767175
>> 
>> Sure, we can work around that problem in the CI (Alex has already a
>> patch queued), but still, is there something you could do about this
>> massive slowdown?
>
> Suggestion: add a '-u' option for unsorted mode, to use in qtests.
>
> Humans want the new behavior (default: sorted).

Last resort.  

I'll look into speeding up the sort first.

Work-around: drop -m slow until we get this sorted (pardon the pun).

Re: Test failure with Smartfusion2 emac block (msf2-emac)

[Thomas Huth]

On 07/07/2020 07.18, Thomas Huth wrote:
> 
>  Hi Subbaraya,
> 
> today, I noticed that there is a test failure with msf2-emac when
> running the device-introspect-test in slow mode. Either run:
> 
>  make check-qtest-aarch64 SPEED=slow
> 
> or as a shortcut:
> 
>  make tests/qtest/device-introspect-test
>  QTEST_QEMU_BINARY="aarch64-softmmu/qemu-system-aarch64" \
>   ./tests/qtest/device-introspect-test -m slow
> 
> Then the test fails with:
> 
> Unexpected error in error_set_from_qdev_prop_error() at
> hw/core/qdev-properties.c:1251:
> Property 'msf2-emac.netdev' can't take value 'hub0port0', it's in use
> 
> Could you please have a look?

The problem might be related to m2sxxx_soc_initfn() in msf2-soc.c. Looks
like you are using nd_table in an instance_init function. This is almost
always wrong, and should be done by the machine code instead (e.g. in
msf2-som.c).

 Thomas


PS: Maybe also have a look at this article, it might help to understand
the idea behind instance_init a little bit:
http://people.redhat.com/~thuth/blog/qemu/2018/09/10/instance-init-realize.html

Test failure with Smartfusion2 emac block (msf2-emac)

[Thomas Huth]

 Hi Subbaraya,

today, I noticed that there is a test failure with msf2-emac when
running the device-introspect-test in slow mode. Either run:

 make check-qtest-aarch64 SPEED=slow

or as a shortcut:

 make tests/qtest/device-introspect-test
 QTEST_QEMU_BINARY="aarch64-softmmu/qemu-system-aarch64" \
  ./tests/qtest/device-introspect-test -m slow

Then the test fails with:

Unexpected error in error_set_from_qdev_prop_error() at
hw/core/qdev-properties.c:1251:
Property 'msf2-emac.netdev' can't take value 'hub0port0', it's in use

Could you please have a look?

 Thanks,
  Thomas

[Bug 1886362] Re: Heap use-after-free in lduw_he_p through e1000e_write_to_rx_buffers

[Philippe Mathieu-Daudé]

Running with '-trace e1000\*':

e1000e_cb_pci_realize E1000E PCI realize entry
e1000e_mac_set_permanent Set permanent MAC: 52:54:00:12:34:56
e1000e_cfg_support_virtio Virtio header supported: 0
e1000e_rx_set_cso RX CSO state set to 0
e1000e_cb_qdev_reset E1000E qdev reset entry
e1000x_mac_indicate Indicating MAC to guest: 52:54:00:12:34:56
e1000x_rx_can_recv_disabled link_up: 1, rx_enabled 0, pci_master 0
e1000x_rx_can_recv_disabled link_up: 1, rx_enabled 0, pci_master 0
e1000e_vm_state_running VM state is running
[R +0.094581] outl 0xcf8 0x80001010
[S +0.094604] OK
[R +0.094632] outl 0xcfc 0xe102
[S +0.094654] OK
[R +0.094668] outl 0xcf8 0x80001014
[S +0.094675] OK
[R +0.094694] outl 0xcf8 0x80001004
[S +0.094702] OK
[R +0.094712] outw 0xcfc 0x7
e1000e_rx_start_recv 
[S +0.096938] OK
[R +0.096960] outl 0xcf8 0x800010a2
[S +0.096972] OK
[R +0.096986] write 0xe102003b 0x1 0xff
e1000e_core_write Write to register 0x38, 4 byte(s), value: 0xff
e1000e_vlan_vet Setting VLAN ethernet type 0xFF
[S +0.097019] OK
[R +0.097034] write 0xe1020103 0x1e 
0xff055c5e5c30be4511d084ff
e1000e_core_write Write to register 0x100, 4 byte(s), value: 0xff
e1000e_rx_set_rctl RCTL = 0xff
e1000e_rx_desc_buff_sizes buffer sizes: [2048, 0, 0, 0]
e1000e_rx_desc_len RX descriptor length: 16
e1000e_rx_start_recv 
e1000e_wrn_regs_write_unknown WARNING: Write to unknown register 0x104, 4 
byte(s), value: 0x5c05
e1000e_core_write Write to register 0x2820, 4 byte(s), value: 0xbe305c5e
e1000e_irq_rdtr_fpd_not_running FPD written while RDTR was not running
e1000e_wrn_regs_write_unknown WARNING: Write to unknown register 0x10c, 4 
byte(s), value: 0x84d01145
e1000e_core_write Write to register 0x2800, 4 byte(s), value: 0x
e1000e_core_write Write to register 0x2804, 4 byte(s), value: 0x
e1000e_core_write Write to register 0x2808, 4 byte(s), value: 0x
e1000e_wrn_regs_write_unknown WARNING: Write to unknown register 0x11c, 4 
byte(s), value: 0x
e1000e_core_write Write to register 0x2810, 4 byte(s), value: 0xff
[S +0.097143] OK
[R +0.097159] write 0xe1020420 0x4 0x
e1000e_core_write Write to register 0x3800, 4 byte(s), value: 0x
[S +0.097173] OK
[R +0.097183] write 0xe1020424 0x4 0x
e1000e_core_write Write to register 0x3804, 4 byte(s), value: 0x
[S +0.097196] OK
[R +0.097208] write 0xe102042b 0x1 0xff
e1000e_core_write Write to register 0x3808, 4 byte(s), value: 0xff
[S +0.097221] OK
[R +0.097231] write 0xe1020430 0x4 0x055c5e5c
e1000e_core_write Write to register 0x3810, 4 byte(s), value: 0x5c5e5c05
[S +0.097243] OK
[R +0.097253] write 0x5c041 0x1 0x04
[S +0.097914] OK
[R +0.097942] write 0x5c042 0x1 0x02
[S +0.097953] OK
[R +0.097964] write 0x5c043 0x1 0xe1
[S +0.097972] OK
[R +0.097984] write 0x5c048 0x1 0x8a
[S +0.097992] OK
[R +0.098003] write 0x5c04a 0x1 0x31
[S +0.098011] OK
[R +0.098022] write 0x5c04b 0x1 0xff
[S +0.098029] OK
[R +0.098040] write 0xe1020403 0x1 0xff
e1000e_core_write Write to register 0x400, 4 byte(s), value: 0xff
e1000e_tx_descr 0xe1020400 : ff31008a 0
e1000e_core_read Read from register 0x400, 4 byte(s), value: 0xff
e1000e_wrn_regs_read_unknown WARNING: Read from unknown register 0x404, 4 
byte(s)
e1000e_wrn_regs_read_unknown WARNING: Read from unknown register 0x408, 4 
byte(s)
e1000e_wrn_regs_read_unknown WARNING: Read from unknown register 0x40c, 4 
byte(s)
e1000e_core_read Read from register 0x410, 4 byte(s), value: 0x602008
e1000e_wrn_regs_read_unknown WARNING: Read from unknown register 0x414, 4 
byte(s)
e1000e_wrn_regs_read_unknown WARNING: Read from unknown register 0x418, 4 
byte(s)
e1000e_wrn_regs_read_unknown WARNING: Read from unknown register 0x41c, 4 
byte(s)
e1000e_core_read Read from register 0x3800, 4 byte(s), value: 0xfff0
e1000e_core_read Read from register 0x3804, 4 byte(s), value: 0x
e1000e_core_read Read from register 0x3808, 4 byte(s), value: 0x80
e1000e_wrn_regs_read_unknown WARNING: Read from unknown register 0x42c, 4 
byte(s)
e1000e_core_read Read from register 0x3810, 4 byte(s), value: 0x5c05
e1000e_wrn_regs_read_unknown WARNING: Read from unknown register 0x434, 4 
byte(s)
e1000e_core_read Read from register 0x3818, 4 byte(s), value: 0x0
e1000e_wrn_regs_read_unknown WARNING: Read from unknown register 0x43c, 4 
byte(s)
e1000e_wrn_regs_read_unknown WARNING: Read from unknown register 0x3820, 4 
byte(s)
e1000e_wrn_regs_read_unknown WARNING: Read from unknown register 0x444, 4 
byte(s)
e1000e_wrn_regs_read_unknown WARNING: Read from unknown register 0x448, 4 
byte(s)
e1000e_wrn_regs_read_unknown WARNING: Read from unknown register 0x44c, 4 
byte(s)
e1000e_wrn_regs_read_unknown WARNING: Read from unknown register 0x450, 4 
byte(s)
e1000e_wrn_regs_read_unknown WARNING: Read from unknown register 0x454, 4 
byte(s)
e1000e_core_read Read from register 0x458, 4 byte(s), value: 0x0
e1000e_wrn_regs_read_unknown WARNING: Read from unknown register 0x45c, 4 
byte(s)
e1000e_wrn_regs_read_unk

Re: [PATCH 00/13] Reverse debugging

[Pavel Dovgalyuk]

On 06.07.2020 22:55, Alex Bennée wrote:


Pavel Dovgalyuk  writes:


Ping.


I started going through this and then ran into some merge conflicts. Are
all the pre-requisite patches now merged via Paolo's tree?



Yes, everything is merged.
I pulled the latest master minute ago and got no conflicts with the patches.

Pavel Dovgalyuk

Re: Slow down with: 'Make "info qom-tree" show children sorted'

[Philippe Mathieu-Daudé]

On 7/7/20 6:45 AM, Thomas Huth wrote:
> On 27/05/2020 10.47, Markus Armbruster wrote:
>> "info qom-tree" prints children in unstable order.  This is a pain
>> when diffing output for different versions to find change.  Print it
>> sorted.
>>
>> Signed-off-by: Markus Armbruster 
>> ---
>>  qom/qom-hmp-cmds.c | 24 
>>  1 file changed, 16 insertions(+), 8 deletions(-)
> 
>  Hi Markus,
> 
> this patch causes a slow down of the qtests which becomes quite massive
> when e.g. using the ppc64 and thourough testing. When I'm running
> 
> QTEST_QEMU_BINARY="ppc64-softmmu/qemu-system-ppc64" time \
> ./tests/qtest/device-introspect-test -m slow | tail -n 10
> 
> the test runs for ca. 6m40s here before the patch got applied, and for
> mor than 20 minutes after the patch got applied!

Argh, yesterday I reviewed again all the range except this patch... not
sure why as looking at it now it is obvious.

> This causes our gitlab CI to constantly fail since the patch got merged,
> since the testing time now exceeds the 1h time limit:
> 
>  https://gitlab.com/qemu-project/qemu/-/pipelines/156767175
> 
> Sure, we can work around that problem in the CI (Alex has already a
> patch queued), but still, is there something you could do about this
> massive slowdown?

Suggestion: add a '-u' option for unsorted mode, to use in qtests.

Humans want the new behavior (default: sorted).

Regards,

Phil.

Slow down with: 'Make "info qom-tree" show children sorted'

[Thomas Huth]

On 27/05/2020 10.47, Markus Armbruster wrote:
> "info qom-tree" prints children in unstable order.  This is a pain
> when diffing output for different versions to find change.  Print it
> sorted.
> 
> Signed-off-by: Markus Armbruster 
> ---
>  qom/qom-hmp-cmds.c | 24 
>  1 file changed, 16 insertions(+), 8 deletions(-)

 Hi Markus,

this patch causes a slow down of the qtests which becomes quite massive
when e.g. using the ppc64 and thourough testing. When I'm running

QTEST_QEMU_BINARY="ppc64-softmmu/qemu-system-ppc64" time \
./tests/qtest/device-introspect-test -m slow | tail -n 10

the test runs for ca. 6m40s here before the patch got applied, and for
mor than 20 minutes after the patch got applied!

This causes our gitlab CI to constantly fail since the patch got merged,
since the testing time now exceeds the 1h time limit:

 https://gitlab.com/qemu-project/qemu/-/pipelines/156767175

Sure, we can work around that problem in the CI (Alex has already a
patch queued), but still, is there something you could do about this
massive slowdown?

 Thanks,
  Thomas

Re: [PATCH 4/4] docs/fuzz: add instructions for generating a coverage report

[Alexander Bulekov]

On 200706 1555, Alexander Bulekov wrote:
> Signed-off-by: Alexander Bulekov 
> ---
>  docs/devel/fuzzing.txt | 19 +++
>  1 file changed, 19 insertions(+)
> 
> diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt
> index 284d57f8fd..a9816ffce9 100644
> --- a/docs/devel/fuzzing.txt
> +++ b/docs/devel/fuzzing.txt
> @@ -85,6 +85,25 @@ better coverage performance, depending on the target.
>  Note that libFuzzer's exact behavior will depend on the version of
>  clang and libFuzzer used to build the device fuzzers.
>  
> +== Generating Coverage Reports ==
> +Code coverage is a crucial metric for evaluating a fuzzer's performance.
> +libFuzzer's output provides a "cov: " column that provides a total number of
> +unique blocks/edges covered. To examine coverage on a line-by-line basis we
> +can use Clang coverage:
> +
> + 1. Configure libFuzzer to store a corpus of all interesting inputs (see
> +CORPUS_DIR above)
> + 2. ./configure the QEMU build with:
> +--enable-sanitizers \
Oops... that should be --enable-fuzzing \

> +--extra-cflags="-fprofile-instr-generate -fcoverage-mapping"
> + 3. Re-run the fuzzer. Specify $CORPUS_DIR/* as an argument, telling 
> libfuzzer
> +to execute all of the inputs in $CORPUS_DIR and exit. Once the process
> +exits, you should find a file, "default.profraw" in the working 
> directory.
> + 4. Execute these commands to generate a detailed HTML coverage-report:
> + llvm-profdata merge -output=default.profdata default.profraw
> + llvm-cov show ./path/to/qemu-fuzz-i386 -instr-profile=default.profdata \
> + --format html -output-dir=/path/to/output/report
> +
>  == Adding a new fuzzer ==
>  Coverage over virtual devices can be improved by adding additional fuzzers.
>  Fuzzers are kept in tests/qtest/fuzz/ and should be added to
> -- 
> 2.26.2
> 

Re: [PATCH 2/4] docs/fuzz: describe building fuzzers with enable-sanitizers

[Philippe Mathieu-Daudé]

On 7/6/20 9:55 PM, Alexander Bulekov wrote:
> Signed-off-by: Alexander Bulekov 

Reviewed-by: Philippe Mathieu-Daudé 

> ---
>  docs/devel/fuzzing.txt | 7 +--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt
> index 324d2cd92b..382ade974e 100644
> --- a/docs/devel/fuzzing.txt
> +++ b/docs/devel/fuzzing.txt
> @@ -23,9 +23,12 @@ AddressSanitizer mmaps ~20TB of memory, as part of its 
> detection. This results
>  in a large page-map, and a much slower fork().
>  
>  To build the fuzzers, install a recent version of clang:
> -Configure with (substitute the clang binaries with the version you 
> installed):
> +Configure with (substitute the clang binaries with the version you 
> installed).
> +Here, enable-sanitizers, is optional but it allows us to reliably detect bugs
> +such as out-of-bounds accesses, use-after-frees, double-frees etc.
>  
> -CC=clang-8 CXX=clang++-8 /path/to/configure --enable-fuzzing
> +CC=clang-8 CXX=clang++-8 /path/to/configure --enable-fuzzing \
> +--enable-sanitizers
>  
>  Fuzz targets are built similarly to system/softmmu:
>  
> 

Re: [PATCH 1/4] fuzz: build without AddressSanitizer, by default

[Philippe Mathieu-Daudé]

On 7/6/20 9:55 PM, Alexander Bulekov wrote:
> We already have a nice --enable-sanitizers option to enable
> AddressSanitizer. There is no reason to duplicate and force this
> functionality in --enable-fuzzing. In the future, if more sanitizers are
> added to --enable-sanitizers, it might be impossible to build with both
> --enable-sanitizers and --enable-fuzzing, since not all sanitizers are
> compatible with libFuzzer. In that case, we could enable ASAN with
> --extra-cflags="-fsanitize=address"
> 
> Signed-off-by: Alexander Bulekov 

Reviewed-by: Philippe Mathieu-Daudé 

> ---
>  configure | 10 +-
>  1 file changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/configure b/configure
> index 8a65240d4a..010c0ca479 100755
> --- a/configure
> +++ b/configure
> @@ -6319,7 +6319,7 @@ fi
>  # checks for fuzzer
>  if test "$fuzzing" = "yes" ; then
>write_c_fuzzer_skeleton
> -  if compile_prog "$CPU_CFLAGS -Werror -fsanitize=address,fuzzer" ""; then
> +  if compile_prog "$CPU_CFLAGS -Werror -fsanitize=fuzzer" ""; then
>have_fuzzer=yes
>fi
>  fi
> @@ -7858,11 +7858,11 @@ if test "$sheepdog" = "yes" ; then
>  fi
>  if test "$fuzzing" = "yes" ; then
>if test "$have_fuzzer" = "yes"; then
> -FUZZ_LDFLAGS=" -fsanitize=address,fuzzer"
> -FUZZ_CFLAGS=" -fsanitize=address,fuzzer"
> -CFLAGS=" -fsanitize=address,fuzzer-no-link"
> +FUZZ_LDFLAGS=" -fsanitize=fuzzer"
> +FUZZ_CFLAGS=" -fsanitize=fuzzer"
> +CFLAGS=" -fsanitize=fuzzer-no-link"
>else
> -error_exit "Your compiler doesn't support -fsanitize=address,fuzzer"
> +error_exit "Your compiler doesn't support -fsanitize=fuzzer"
>  exit 1
>fi
>  fi
> 

Re: [PULL 07/15] hw/timer: RX62N 8-Bit timer (TMR)

[Philippe Mathieu-Daudé]

ping...?

On 6/29/20 11:58 AM, Philippe Mathieu-Daudé wrote:
> Hi Yoshinori,
> 
> On 6/25/20 11:25 AM, Peter Maydell wrote:
>> On Sun, 21 Jun 2020 at 13:54, Philippe Mathieu-Daudé  wrote:
>>>
>>> From: Yoshinori Sato 
>>>
>>> renesas_tmr: 8bit timer modules.
>>
>> Hi; the recent Coverity run reports a potential bug in this
>> code: (CID 1429976)
>>
>>
>>> +static uint16_t read_tcnt(RTMRState *tmr, unsigned size, int ch)
>>> +{
>>> +int64_t delta, now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
>>> +int elapsed, ovf = 0;
>>> +uint16_t tcnt[2];
>>
>> Here we declare tcnt[] but do not initialize its contents...
>>
>>> +uint32_t ret;
>>> +
>>> +delta = (now - tmr->tick) * NANOSECONDS_PER_SECOND / tmr->input_freq;
>>> +if (delta > 0) {
>>> +tmr->tick = now;
>>> +
>>> +if (FIELD_EX8(tmr->tccr[1], TCCR, CSS) == INTERNAL) {
>>> +/* timer1 count update */
>>> +elapsed = elapsed_time(tmr, 1, delta);
>>> +if (elapsed >= 0x100) {
>>> +ovf = elapsed >> 8;
>>> +}
>>> +tcnt[1] = tmr->tcnt[1] + (elapsed & 0xff);
>>> +}
>>> +switch (FIELD_EX8(tmr->tccr[0], TCCR, CSS)) {
>>> +case INTERNAL:
>>> +elapsed = elapsed_time(tmr, 0, delta);
>>> +tcnt[0] = tmr->tcnt[0] + elapsed;
>>> +break;
>>> +case CASCADING:
>>> +if (ovf > 0) {
>>> +tcnt[0] = tmr->tcnt[0] + ovf;
>>> +}
>>> +break;
>>> +}
>>
>> ...but not all cases here set both tcnt[0] and tcnt[1]
>> (for instance in the "case CASCADING:" if ovf <=0 we
>> won't set either of them)...
>>
>>> +} else {
>>> +tcnt[0] = tmr->tcnt[0];
>>> +tcnt[1] = tmr->tcnt[1];
>>> +}
>>> +if (size == 1) {
>>> +return tcnt[ch];
>>> +} else {
>>> +ret = 0;
>>> +ret = deposit32(ret, 0, 8, tcnt[1]);
>>> +ret = deposit32(ret, 8, 8, tcnt[0]);
>>> +return ret;
>>
>> ...and so here we will end up returning uninitialized
>> data. Presumably the spec says what value is actually
>> supposed to be returned in these cases?
>>
>> PS: the "else" branch with the deposit32() calls could be
>> rewritten more simply as
>>   return lduw_be_p(tcnt);
>>
>>> +static uint64_t tmr_read(void *opaque, hwaddr addr, unsigned size)
>>> +{
>>
>> In this function Coverity reports a missing "break" (CID 1429977):
>>
>>> +case A_TCORA:
>>> +if (size == 1) {
>>> +return tmr->tcora[ch];
>>> +} else if (ch == 0) {
>>> +return concat_reg(tmr->tcora);
>>> +}
>>
>> Here execution can fall through but there is no 'break' or '/* fallthrough 
>> */'.
>>
>>> +case A_TCORB:
>>> +if (size == 1) {
>>> +return tmr->tcorb[ch];
>>> +} else {
>>> +return concat_reg(tmr->tcorb);
>>> +}
>>
>> Is it correct that the A_TCORA and A_TCORB code is different?
>> It looks odd, so if this is intentional then a comment describing
>> why it is so might be helpful to readers.
> 
> Can you address Peter's comments please?
> 
>>
>> thanks
>> -- PMM
>>
> 

Re: [PATCH v2 1/2] tpm: tpm_spapr: Exit on TPM backend failures

[Philippe Mathieu-Daudé]

Hi Stefan,

On 7/7/20 6:05 AM, Stefan Berger wrote:
> Exit on TPM backend failures in the same way as the TPM CRB and TIS device
> models do.

Maybe the other models are not the best examples ;)

> 
> Signed-off-by: Stefan Berger 
> ---
>  hw/tpm/tpm_spapr.c | 5 -
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/tpm/tpm_spapr.c b/hw/tpm/tpm_spapr.c
> index cb4dfd1e6a..8288ab0a15 100644
> --- a/hw/tpm/tpm_spapr.c
> +++ b/hw/tpm/tpm_spapr.c
> @@ -306,7 +306,10 @@ static void tpm_spapr_reset(SpaprVioDevice *dev)
>  TPM_SPAPR_BUFFER_MAX);
>  
>  tpm_backend_reset(s->be_driver);
> -tpm_spapr_do_startup_tpm(s, s->be_buffer_size);
> +
> +if (tpm_spapr_do_startup_tpm(s, s->be_buffer_size) < 0) {

I don't see error reported, how users can know the cause of the exit?

> +exit(1);

What about using this instead?

   qemu_system_shutdown_request(SHUTDOWN_CAUSE_HOST_ERROR);

> +}
>  }
>  
>  static enum TPMVersion tpm_spapr_get_version(TPMIf *ti)
> 

[PATCH v2 0/2] tpm: Some fixes

[Stefan Berger]

This series of patches fixes the TPM SPAPR device model so that it reacts
in the same way as the other device models do when the backend device did
not start up properly. It now calls exit(1).

Due to a change in the TPM 2 code, the pcrUpdateCounter (14th byte) in the
TPM2_Pcrread response now returns a different value than before. So it's
better to skip the 14th byte when comparing expected against actual responses.

   Stefan

v1->v2:
  - simplified skipping of 14th byte in response

Stefan Berger (2):
  tpm: tpm_spapr: Exit on TPM backend failures
  tests: Skip over pcrUpdateCounter byte in result comparison

 hw/tpm/tpm_spapr.c | 5 -
 tests/qtest/tpm-util.c | 6 +-
 2 files changed, 9 insertions(+), 2 deletions(-)

-- 
2.24.1

[PATCH v2 2/2] tests: Skip over pcrUpdateCounter byte in result comparison

[Stefan Berger]

Due to a change in the TPM 2 code the pcrUpdate counter in the
PCRRead response is now different, so we skip comparison of the
14th byte.

Signed-off-by: Stefan Berger 
---
 tests/qtest/tpm-util.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tests/qtest/tpm-util.c b/tests/qtest/tpm-util.c
index 34efae8f18..58a9593745 100644
--- a/tests/qtest/tpm-util.c
+++ b/tests/qtest/tpm-util.c
@@ -139,7 +139,11 @@ void tpm_util_pcrread(QTestState *s, tx_func *tx,
 
 tx(s, tpm_pcrread, sizeof(tpm_pcrread), buffer, sizeof(buffer));
 
-g_assert_cmpmem(buffer, exp_resp_size, exp_resp, exp_resp_size);
+/* skip pcrUpdateCounter (14th byte) in comparison */
+g_assert(exp_resp_size >= 15);
+g_assert_cmpmem(buffer, 13, exp_resp, 13);
+g_assert_cmpmem(&buffer[14], exp_resp_size - 14,
+&exp_resp[14], exp_resp_size - 14);
 }
 
 bool tpm_util_swtpm_has_tpm2(void)
-- 
2.24.1

[PATCH v2 1/2] tpm: tpm_spapr: Exit on TPM backend failures

[Stefan Berger]

Exit on TPM backend failures in the same way as the TPM CRB and TIS device
models do.

Signed-off-by: Stefan Berger 
---
 hw/tpm/tpm_spapr.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hw/tpm/tpm_spapr.c b/hw/tpm/tpm_spapr.c
index cb4dfd1e6a..8288ab0a15 100644
--- a/hw/tpm/tpm_spapr.c
+++ b/hw/tpm/tpm_spapr.c
@@ -306,7 +306,10 @@ static void tpm_spapr_reset(SpaprVioDevice *dev)
 TPM_SPAPR_BUFFER_MAX);
 
 tpm_backend_reset(s->be_driver);
-tpm_spapr_do_startup_tpm(s, s->be_buffer_size);
+
+if (tpm_spapr_do_startup_tpm(s, s->be_buffer_size) < 0) {
+exit(1);
+}
 }
 
 static enum TPMVersion tpm_spapr_get_version(TPMIf *ti)
-- 
2.24.1

Re: [PATCH v3] hw/core/qdev: Increase qdev_realize() kindness

[Philippe Mathieu-Daudé]

On 7/7/20 5:33 AM, Philippe Mathieu-Daudé wrote:
> Since commit 510ef98dca5, qdev_realize() aborts if bus-less device
> is realized on a bus. While commits 514db7710b..007d1dbf72 took
> care of converting all mainstream uses, QEMU forks weren't. These

I guess I missed "weren't [converted]".

> forks are usually maintained by hobbyist with interest in following
> mainstream development, but with limited time, so usually rebase
> from time to time. To avoid them to spend time on debugging and
> reading git-log history, display a kind hint about what is wrong.
> 
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
> Since v2:
> - scratch __func__ (armbru)
> - reword to justify this is not an impossible case (armbru)
> ---
>  hw/core/qdev.c | 7 +--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/core/qdev.c b/hw/core/qdev.c
> index 2131c7f951..a16f1270f1 100644
> --- a/hw/core/qdev.c
> +++ b/hw/core/qdev.c
> @@ -392,8 +392,11 @@ bool qdev_realize(DeviceState *dev, BusState *bus, Error 
> **errp)
>  
>  if (bus) {
>  qdev_set_parent_bus(dev, bus);
> -} else {
> -assert(!DEVICE_GET_CLASS(dev)->bus_type);
> +} else if (DEVICE_GET_CLASS(dev)->bus_type) {
> +error_setg(errp, "Unexpected bus '%s' for bus-less device '%s'",
> +   DEVICE_GET_CLASS(dev)->bus_type,
> +   object_get_typename(OBJECT(dev)));
> +return false;
>  }
>  
>  object_property_set_bool(OBJECT(dev), true, "realized", &err);
> 

[PATCH v3] hw/core/qdev: Increase qdev_realize() kindness

[Philippe Mathieu-Daudé]

Since commit 510ef98dca5, qdev_realize() aborts if bus-less device
is realized on a bus. While commits 514db7710b..007d1dbf72 took
care of converting all mainstream uses, QEMU forks weren't. These
forks are usually maintained by hobbyist with interest in following
mainstream development, but with limited time, so usually rebase
from time to time. To avoid them to spend time on debugging and
reading git-log history, display a kind hint about what is wrong.

Signed-off-by: Philippe Mathieu-Daudé 
---
Since v2:
- scratch __func__ (armbru)
- reword to justify this is not an impossible case (armbru)
---
 hw/core/qdev.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/hw/core/qdev.c b/hw/core/qdev.c
index 2131c7f951..a16f1270f1 100644
--- a/hw/core/qdev.c
+++ b/hw/core/qdev.c
@@ -392,8 +392,11 @@ bool qdev_realize(DeviceState *dev, BusState *bus, Error 
**errp)
 
 if (bus) {
 qdev_set_parent_bus(dev, bus);
-} else {
-assert(!DEVICE_GET_CLASS(dev)->bus_type);
+} else if (DEVICE_GET_CLASS(dev)->bus_type) {
+error_setg(errp, "Unexpected bus '%s' for bus-less device '%s'",
+   DEVICE_GET_CLASS(dev)->bus_type,
+   object_get_typename(OBJECT(dev)));
+return false;
 }
 
 object_property_set_bool(OBJECT(dev), true, "realized", &err);
-- 
2.21.3

[PATCH] tests/qtest/libqtest: Do not overwrite child coredump

[Philippe Mathieu-Daudé]

We are interested by the coredump of the child, not the qtest
parent. If the child generated a coredump, simply call
exit(EXIT_FAILURE) in the parent to avoid overwriting the
child coredump.

Fixes: 71a268a5fd ("tests/libqtest: Improve kill_qemu()")
Signed-off-by: Philippe Mathieu-Daudé 
---
 tests/qtest/libqtest.c | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/tests/qtest/libqtest.c b/tests/qtest/libqtest.c
index 49075b55a1..bd85d01145 100644
--- a/tests/qtest/libqtest.c
+++ b/tests/qtest/libqtest.c
@@ -173,7 +173,12 @@ static void kill_qemu(QTestState *s)
 fprintf(stderr, "%s:%d: kill_qemu() detected QEMU death "
 "from signal %d (%s)%s\n",
 __FILE__, __LINE__, sig, signame, dump);
-abort();
+if (WCOREDUMP(wstatus)) {
+/* Preserve child coredump */
+exit(1);
+} else {
+abort();
+}
 }
 }
 
-- 
2.21.3

[Bug 1886602] Re: Windows 10 very slow with OVMF

[Alex Austin]

# dmidecode 3.2
Getting SMBIOS data from sysfs.
SMBIOS 3.0.0 present.
Table at 0x9A694000.

...

Handle 0x000A, DMI type 4, 48 bytes
Processor Information
Socket Designation: U3E1
Type: Central Processor
Family: Core i7
...
Core Count: 2
Core Enabled: 2
Thread Count: 4
Characteristics:
64-bit capable
Multi-Core
Hardware Thread
Execute Protection
Enhanced Virtualization
Power/Performance Control


Handle 0x000B, DMI type 0, 24 bytes
BIOS Information
Vendor: LENOVO
Version: N1QET88W (1.63 )
Release Date: 04/22/2020
Address: 0xE
Runtime Size: 128 kB
ROM Size: 16 MB
Characteristics:
PCI is supported
PNP is supported
BIOS is upgradeable
BIOS shadowing is allowed
Boot from CD is supported
Selectable boot is supported
EDD is supported
3.5"/720 kB floppy services are supported (int 13h)
Print screen service is supported (int 5h)
8042 keyboard services are supported (int 9h)
Serial services are supported (int 14h)
Printer services are supported (int 17h)
CGA/mono video services are supported (int 10h)
ACPI is supported
USB legacy is supported
BIOS boot specification is supported
Targeted content distribution is supported
UEFI is supported
BIOS Revision: 1.63
Firmware Revision: 1.35

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1886602

Title:
  Windows 10 very slow with OVMF

Status in QEMU:
  New

Bug description:
  Debian Buster

  Kernel 4.19.0-9-amd64
  qemu-kvm 1:3.1+dfsg-8+deb10u5
  ovmf 0~20181115.85588389-3+deb10u1

  Machine: Thinkpad T470, i7-7500u, 20GB RAM
  VM: 4 CPUs, 8GB RAM, Broadwell-noTSX CPU Model

  Windows 10, under this VM, seems to be exceedingly slow with all
  operations. This is a clean install with very few services running.
  Task Manager can take 30% CPU looking at an idle system.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1886602/+subscriptions

RE: [PATCH 3/3] target/nios2: Use gen_io_start around wrctl instruction

[Wu, Wentong]

Hi,
I think we can get this patch series merged first in order to get qemu_nios2 
working with icount, actually we are blocked by it for some time. 
BTW if maintainers(Chris Wulff and Marek Vasut) don't have time for the 
re-work, I'd like to take it.

Thanks
> -Original Message-
> From: Peter Maydell  
> Sent: Monday, July 6, 2020 1:10 AM
> To: Wu, Wentong 
> Cc: QEMU Developers ; QEMU Trivial 
> ; Chris Wulff ; Marek Vasut 
> 
> Subject: Re: [PATCH 3/3] target/nios2: Use gen_io_start around wrctl 
> instruction
>
> On Mon, 29 Jun 2020 at 09:17, Wentong Wu  wrote:
> >
> > wrctl instruction on nios2 target will cause checking cpu interrupt 
> > but tcg_handle_interrupt() will call cpu_abort() if the CPU gets an 
> > interrupt while it's not in 'can do IO'
> > state, so add gen_io_start around wrctl instruction. Also at the same 
> > time, end the onging TB with DISAS_UPDATE.
> >
> > Signed-off-by: Wentong Wu 
> > ---
> >  target/nios2/translate.c | 5 +
> >  1 file changed, 5 insertions(+)
> >
> > diff --git a/target/nios2/translate.c b/target/nios2/translate.c index 
> > 83c10eb2..51347ada 100644
> > --- a/target/nios2/translate.c
> > +++ b/target/nios2/translate.c
> > @@ -32,6 +32,7 @@
> >  #include "exec/cpu_ldst.h"
> >  #include "exec/translator.h"
> >  #include "qemu/qemu-print.h"
> > +#include "exec/gen-icount.h"
> >
> >  /* is_jmp field values */
> >  #define DISAS_JUMPDISAS_TARGET_0 /* only pc was modified dynamically */
> > @@ -518,7 +519,11 @@ static void wrctl(DisasContext *dc, uint32_t code, 
> > uint32_t flags)
> >  /* If interrupts were enabled using WRCTL, trigger them. */  #if 
> > !defined(CONFIG_USER_ONLY)
> >  if ((instr.imm5 + CR_BASE) == CR_STATUS) {
> > +if (tb_cflags(dc->tb) & CF_USE_ICOUNT) {
> > +gen_io_start();
> > +}
> >  gen_helper_check_interrupts(dc->cpu_env);
> > +dc->is_jmp = DISAS_UPDATE;
> >  }
> >  #endif
> >  }
> 
> Reviewed-by: Peter Maydell 
>
> though as Richard notes ideally the interrupt handling code here should be 
> rewritten because the check_interrupts helper is a very weird way to 
> implement things.
>
> thanks
> -- PMM

[Bug 1886602] [NEW] Windows 10 very slow with OVMF

[Alex Austin]

Public bug reported:

Debian Buster

Kernel 4.19.0-9-amd64
qemu-kvm 1:3.1+dfsg-8+deb10u5
ovmf 0~20181115.85588389-3+deb10u1

Machine: Thinkpad T470, i7-7500u, 20GB RAM
VM: 4 CPUs, 8GB RAM, Broadwell-noTSX CPU Model

Windows 10, under this VM, seems to be exceedingly slow with all
operations. This is a clean install with very few services running. Task
Manager can take 30% CPU looking at an idle system.

** Affects: qemu
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1886602

Title:
  Windows 10 very slow with OVMF

Status in QEMU:
  New

Bug description:
  Debian Buster

  Kernel 4.19.0-9-amd64
  qemu-kvm 1:3.1+dfsg-8+deb10u5
  ovmf 0~20181115.85588389-3+deb10u1

  Machine: Thinkpad T470, i7-7500u, 20GB RAM
  VM: 4 CPUs, 8GB RAM, Broadwell-noTSX CPU Model

  Windows 10, under this VM, seems to be exceedingly slow with all
  operations. This is a clean install with very few services running.
  Task Manager can take 30% CPU looking at an idle system.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1886602/+subscriptions

Re: [PULL v2 12/64] target/riscv: add vector amo operations

[LIU Zhiwei]

On 2020/7/7 7:36, Alistair Francis wrote:

On Sun, Jul 5, 2020 at 11:20 AM Peter Maydell  wrote:

On Thu, 2 Jul 2020 at 17:33, Alistair Francis  wrote:

From: LIU Zhiwei 

Vector AMOs operate as if aq and rl bits were zero on each element
with regard to ordering relative to other instructions in the same hart.
Vector AMOs provide no ordering guarantee between element operations
in the same vector AMO instruction

Hi; Coverity thinks (probably wrongly) that there might be an array
overflow here:


+static bool amo_op(DisasContext *s, arg_rwdvm *a, uint8_t seq)
+{
+uint32_t data = 0;
+gen_helper_amo *fn;
+static gen_helper_amo *const fnsw[9] = {

This is a 9-element array...


+/* no atomic operation */
+gen_helper_vamoswapw_v_w,
+gen_helper_vamoaddw_v_w,
+gen_helper_vamoxorw_v_w,
+gen_helper_vamoandw_v_w,
+gen_helper_vamoorw_v_w,
+gen_helper_vamominw_v_w,
+gen_helper_vamomaxw_v_w,
+gen_helper_vamominuw_v_w,
+gen_helper_vamomaxuw_v_w
+};
+if (tb_cflags(s->base.tb) & CF_PARALLEL) {
+gen_helper_exit_atomic(cpu_env);
+s->base.is_jmp = DISAS_NORETURN;
+return true;
+} else {
+if (s->sew == 3) {
+#ifdef TARGET_RISCV64
+fn = fnsd[seq];
+#else
+/* Check done in amo_check(). */
+g_assert_not_reached();
+#endif
+} else {
+fn = fnsw[seq];

...which we here index via 'seq'...



+#ifdef TARGET_RISCV64
+GEN_VEXT_TRANS(vamoswapd_v, 9, rwdvm, amo_op, amo_check)
+GEN_VEXT_TRANS(vamoaddd_v, 10, rwdvm, amo_op, amo_check)
+GEN_VEXT_TRANS(vamoxord_v, 11, rwdvm, amo_op, amo_check)
+GEN_VEXT_TRANS(vamoandd_v, 12, rwdvm, amo_op, amo_check)
+GEN_VEXT_TRANS(vamoord_v, 13, rwdvm, amo_op, amo_check)
+GEN_VEXT_TRANS(vamomind_v, 14, rwdvm, amo_op, amo_check)
+GEN_VEXT_TRANS(vamomaxd_v, 15, rwdvm, amo_op, amo_check)
+GEN_VEXT_TRANS(vamominud_v, 16, rwdvm, amo_op, amo_check)
+GEN_VEXT_TRANS(vamomaxud_v, 17, rwdvm, amo_op, amo_check)
+#endif

...which in the calls that these macros expand out to can
be 9 or greater.

If it's in fact impossible to get into that code path
with a value of seq that's larger than the array, it
would help Coverity if we asserted so, maybe
assert(seq < ARRAY_SIZE(fnsw));

This is CID 1430177, 1430178, 1430179, 1430180, 1430181,
1430182, 1430183, 1430184, 1430185, 14305186.

@ LIU Zhiwei can you please look into this and send a patch with a fix?

Sure.

I will think about Richard's comments  before I send a patch to fix it.

I applied for a Coverity account just a moment ago, so that I can see 
what the CID details.


Best Regards,
Zhiwei

Alistair


thanks
-- PMM

[PATCH v2] .mailmap: Update Paul Burton email address

[Philippe Mathieu-Daudé]

Following the Linux kernel equivalent patch posted on
linux-m...@vger.kernel.org [*], update Paul Burton email
address to avoid emails bouncing.

[*] 'MAINTAINERS: Use @kernel.org address for Paul Burton'
https://lore.kernel.org/patchwork/patch/1140341/

Cc: Paul Burton 
Suggested-by: Paolo Bonzini 
Signed-off-by: Philippe Mathieu-Daudé 
---
 .mailmap | 7 ---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.mailmap b/.mailmap
index 926cac6bb8..fe4c561338 100644
--- a/.mailmap
+++ b/.mailmap
@@ -49,9 +49,10 @@ Filip Bozuta  

 Frederic Konrad  
 James Hogan  
 Leif Lindholm  
-Paul Burton  
-Paul Burton  
-Paul Burton  
+Paul Burton  
+Paul Burton  
+Paul Burton  
+Paul Burton  
 Philippe Mathieu-Daudé  
 Stefan Brankovic  
 Yongbok Kim  
-- 
2.21.3

RE: [PATCH] intel_iommu: Use correct shift for 256 bits qi descriptor

[Liu, Yi L]

> From: Peter Xu 
> Sent: Tuesday, July 7, 2020 4:58 AM
> 
> On Sat, Jul 04, 2020 at 01:07:15AM -0700, Liu Yi L wrote:
> > In chapter 10.4.23 of VT-d spec 3.0, Descriptor Width bit was
> > introduced in VTD_IQA_REG. Sfotware could set this bit to tell VT-d
> > the QI descriptor from software would be 256 bits. Accordingly, the
> > VTD_IQH_QH_SHIFT should be 5 when descriptor size is 256 bits.
> >
> > This patch adds the DW bit check when deciding the shift used to
> > update VTD_IQH_REG.
> >
> > Signed-off-by: Liu Yi L 
> 
> Reviewed-by: Peter Xu 

thanks.

Regards,
Yi Liu

Re: [PATCH v2] util/qemu-option: Document the get_opt_value() function

[Philippe Mathieu-Daudé]

On 7/7/20 3:14 AM, Richard Henderson wrote:
> On 6/29/20 12:08 AM, Philippe Mathieu-Daudé wrote:
>> Coverity noticed commit 950c4e6c94 introduced a dereference before
>> null check in get_opt_value (CID1391003):
>>
>>   In get_opt_value: All paths that lead to this null pointer
>>   comparison already dereference the pointer earlier (CWE-476)
>>
>> We fixed this in commit 6e3ad3f0e31, but relaxed the check in commit
>> 0c2f6e7ee99 because "No callers of get_opt_value() pass in a NULL
>> for the 'value' parameter".
>>
>> Since this function is publicly exposed, it risks new users to do
>> the same error again. Avoid that documenting the 'value' argument
>> must not be NULL.
> 
> I think we should also add some use of __attribute__((nonnull(...))) to 
> enforce
> this within the compiler.
> 
> I recently did this without a qemu/compiler.h QEMU_FOO wrapper within
> target/arm.  But the nonnull option has optional arguments, so it might be
> difficult to wrap in macros.

I have this patch after your suggestion from last year:

+#if __has_attribute(nonnull)
+# define QEMU_NONNULL(LIST) __attribute__((nonnull((LIST
+#else
+# define QEMU_NONNULL(LIST)
+#endif

Examples:

 SpaprDrc *spapr_dr_connector_new(Object *owner, const char *type,
- uint32_t id);
+ uint32_t id) QEMU_NONNULL(1);
 SpaprDrc *spapr_drc_by_index(uint32_t index);
 SpaprDrc *spapr_drc_by_id(const char *type, uint32_t id);
-int spapr_dt_drc(void *fdt, int offset, Object *owner, uint32_t
drc_type_mask);
+int spapr_dt_drc(void *fdt, int offset, Object *owner, uint32_t
drc_type_mask)
+ QEMU_NONNULL(3);

...


 /**
  * memory_region_init_iommu: Initialize a memory region of a custom type
@@ -1066,7 +1073,8 @@ void memory_region_init_iommu(void *_iommu_mr,
   const char *mrtypename,
   Object *owner,
   const char *name,
-  uint64_t size);
+  uint64_t size)
+  QEMU_NONNULL(4);

 /**
  * memory_region_init_ram - Initialize RAM memory region.  Accesses
into the
@@ -1154,7 +1162,8 @@ void memory_region_init_rom_device(MemoryRegion *mr,
void *opaque,
const char *name,
uint64_t size,
-   Error **errp);
+   Error **errp)
+   QEMU_NONNULL(2);

I can send as RFC is that looks OK to you.

Regards,

Phil.

[PATCH] riscv: Add OpenTitan Big Number (OTBN) device address

[Julio Faracco]

This commit adds basics skecthes to implemente a OTBN unit.
OTBN has address 0x5000 and size 0x40.
For further reference, see OTBN docummentation:
https://docs.opentitan.org/hw/ip/otbn/doc/

Signed-off-by: Julio Faracco 
---
 hw/riscv/opentitan.c | 5 -
 include/hw/riscv/opentitan.h | 1 +
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/hw/riscv/opentitan.c b/hw/riscv/opentitan.c
index 19223e4c29..8a5d060b57 100644
--- a/hw/riscv/opentitan.c
+++ b/hw/riscv/opentitan.c
@@ -50,7 +50,8 @@ static const struct MemmapEntry {
 [IBEX_ALERT_HANDLER] =  {  0x4013,  0x1 },
 [IBEX_NMI_GEN] ={  0x4014,  0x1 },
 [IBEX_USBDEV] = {  0x4015,  0x1 },
-[IBEX_PADCTRL] ={  0x4016,  0x1 }
+[IBEX_PADCTRL] ={  0x4016,  0x1 },
+[IBEX_OTBN] =   {  0x5000, 0x40 }
 };
 
 static void opentitan_board_init(MachineState *machine)
@@ -183,6 +184,8 @@ static void lowrisc_ibex_soc_realize(DeviceState *dev_soc, 
Error **errp)
 memmap[IBEX_USBDEV].base, memmap[IBEX_USBDEV].size);
 create_unimplemented_device("riscv.lowrisc.ibex.padctrl",
 memmap[IBEX_PADCTRL].base, memmap[IBEX_PADCTRL].size);
+create_unimplemented_device("riscv.lowrisc.ibex.otbn",
+memmap[IBEX_PADCTRL].base, memmap[IBEX_OTBN].size);
 }
 
 static void lowrisc_ibex_soc_class_init(ObjectClass *oc, void *data)
diff --git a/include/hw/riscv/opentitan.h b/include/hw/riscv/opentitan.h
index 8f29b9cbbf..c739d44fbc 100644
--- a/include/hw/riscv/opentitan.h
+++ b/include/hw/riscv/opentitan.h
@@ -68,6 +68,7 @@ enum {
 IBEX_NMI_GEN,
 IBEX_USBDEV,
 IBEX_PADCTRL,
+IBEX_OTBN,
 };
 
 enum {
-- 
2.25.1

Re: [PATCH] target/arm: Fix mtedesc for do_mem_zpz

[Philippe Mathieu-Daudé]

On 7/6/20 10:23 PM, Richard Henderson wrote:
> The mtedesc that was contructed was not actually passed in.

Typo "constructed".

Reviewed-by: Philippe Mathieu-Daudé 

> Found by Coverity (CID 1429996).
> 
> Fixes: d28d12f008e
> Signed-off-by: Richard Henderson 
> ---
>  target/arm/translate-sve.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
> index 08f0fd15b2..88a2fb271d 100644
> --- a/target/arm/translate-sve.c
> +++ b/target/arm/translate-sve.c
> @@ -5275,7 +5275,7 @@ static void do_mem_zpz(DisasContext *s, int zt, int pg, 
> int zm,
>  desc = FIELD_DP32(desc, MTEDESC, ESIZE, 1 << msz);
>  desc <<= SVE_MTEDESC_SHIFT;
>  }
> -desc = simd_desc(vsz, vsz, scale);
> +desc = simd_desc(vsz, vsz, desc | scale);
>  t_desc = tcg_const_i32(desc);
>  
>  tcg_gen_addi_ptr(t_pg, cpu_env, pred_full_reg_offset(s, pg));
> 

Re: [PATCH 2/4] hw/lm32/milkymist: Comment to remember some IRQs lines are left unwired

[Philippe Mathieu-Daudé]

On 7/6/20 8:32 PM, Alistair Francis wrote:
> On Mon, Jul 6, 2020 at 11:04 AM Philippe Mathieu-Daudé  
> wrote:
>>
>> On 7/6/20 6:19 PM, Alistair Francis wrote:
>>> On Sun, Jul 5, 2020 at 2:10 PM Philippe Mathieu-Daudé  
>>> wrote:

 The 'card is readonly' and 'card inserted' IRQs are not wired.
 Add a comment in case someone know where to wire them.

 Signed-off-by: Philippe Mathieu-Daudé 
>>>
>>> I'm not convinced adding fixmes or todos in the code is the right
>>> direction. It would be better to file bugs or use some other more
>>> official tracking mechanism.
>>
>> This code is orphan :S
>>
>> I'll fill a launchpad bug ticket.
> 
> I also mean in general (you have some other patches that add TODOs or FIXMEs).

Not all developers look at launchpad, while all of them read the code ;)

$ git grep -E '(TODO|FIXME)' | wc -l
1899

For orphan code, a comment in the code might be better to remember
the technical debt to the next developers interested to rework this
piece of code (I'd rather not trust they'll dig in the mailing list
archive and launchpad tickets while staring at the code).

> 
>>
>> OTOH we could also log UNIMP for lost IRQs (triggered but
>> no handler registered).
> 
> That would also work.
> 
> Alistair
> 
>>
>>>
>>> Alistair
>>>
 ---
  hw/lm32/milkymist.c | 1 +
  1 file changed, 1 insertion(+)

 diff --git a/hw/lm32/milkymist.c b/hw/lm32/milkymist.c
 index 469e3c4322..117973c967 100644
 --- a/hw/lm32/milkymist.c
 +++ b/hw/lm32/milkymist.c
 @@ -87,6 +87,7 @@ static DeviceState *milkymist_memcard_create(hwaddr base)
  dev = qdev_new("milkymist-memcard");
  sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
  sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, base);
 +/* FIXME wire 'card is readonly' and 'card inserted' IRQs? */

  return dev;
  }
 --
 2.21.3


>>>
> 

Re: [PATCH v2] util/qemu-option: Document the get_opt_value() function

[Richard Henderson]

On 6/29/20 12:08 AM, Philippe Mathieu-Daudé wrote:
> Coverity noticed commit 950c4e6c94 introduced a dereference before
> null check in get_opt_value (CID1391003):
> 
>   In get_opt_value: All paths that lead to this null pointer
>   comparison already dereference the pointer earlier (CWE-476)
> 
> We fixed this in commit 6e3ad3f0e31, but relaxed the check in commit
> 0c2f6e7ee99 because "No callers of get_opt_value() pass in a NULL
> for the 'value' parameter".
> 
> Since this function is publicly exposed, it risks new users to do
> the same error again. Avoid that documenting the 'value' argument
> must not be NULL.

I think we should also add some use of __attribute__((nonnull(...))) to enforce
this within the compiler.

I recently did this without a qemu/compiler.h QEMU_FOO wrapper within
target/arm.  But the nonnull option has optional arguments, so it might be
difficult to wrap in macros.


r~

Re: [PATCH qemu v9] spapr: Implement Open Firmware client interface

[Alexey Kardashevskiy]

Ping?


On 24/06/2020 10:28, Alexey Kardashevskiy wrote:
> Ping?
> 
> On 02/06/2020 21:40, Alexey Kardashevskiy wrote:
>> Ping?
>>
>> On 13/05/2020 13:58, Alexey Kardashevskiy wrote:
>>> The PAPR platform which describes an OS environment that's presented by
>>> a combination of a hypervisor and firmware. The features it specifies
>>> require collaboration between the firmware and the hypervisor.
>>>
>>> Since the beginning, the runtime component of the firmware (RTAS) has
>>> been implemented as a 20 byte shim which simply forwards it to
>>> a hypercall implemented in qemu. The boot time firmware component is
>>> SLOF - but a build that's specific to qemu, and has always needed to be
>>> updated in sync with it. Even though we've managed to limit the amount
>>> of runtime communication we need between qemu and SLOF, there's some,
>>> and it has become increasingly awkward to handle as we've implemented
>>> new features.
>>>
>>> This implements a boot time OF client interface (CI) which is
>>> enabled by a new "x-vof" pseries machine option (stands for "Virtual Open
>>> Firmware). When enabled, QEMU implements the custom H_OF_CLIENT hcall
>>> which implements Open Firmware Client Interface (OF CI). This allows
>>> using a smaller stateless firmware which does not have to manage
>>> the device tree.
>>>
>>> The new "vof.bin" firmware image is included with source code under
>>> pc-bios/. It also includes RTAS blob.
>>>
>>> This implements a handful of CI methods just to get -kernel/-initrd
>>> working. In particular, this implements the device tree fetching and
>>> simple memory allocator - "claim" (an OF CI memory allocator) and updates
>>> "/memory@0/available" to report the client about available memory.
>>>
>>> This implements changing some device tree properties which we know how
>>> to deal with, the rest is ignored. To allow changes, this skips
>>> fdt_pack() when x-vof=on as not packing the blob leaves some room for
>>> appending.
>>>
>>> In absence of SLOF, this assigns phandles to device tree nodes to make
>>> device tree traversing work.
>>>
>>> When x-vof=on, this adds "/chosen" every time QEMU (re)builds a tree.
>>>
>>> This adds basic instances support which are managed by a hash map
>>> ihandle -> [phandle].
>>>
>>> Before the guest started, the used memory is:
>>> 0..4000 - the initial firmware
>>> 1..18 - stack
>>>
>>> This OF CI does not implement "interpret".
>>>
>>> With this basic support, this can only boot into kernel directly.
>>> However this is just enough for the petitboot kernel and initradmdisk to
>>> boot from any possible source. Note this requires reasonably recent guest
>>> kernel with:
>>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=df5be5be8735
>>>
>>> Signed-off-by: Alexey Kardashevskiy 
>>> ---
>>>
>>> The example command line is:
>>>
>>> pbuild/qemu-killslof-localhost-ppc64/ppc64-softmmu/qemu-system-ppc64 \
>>> -nodefaults \
>>> -chardev stdio,id=STDIO0,signal=off,mux=on \
>>> -device spapr-vty,id=svty0,reg=0x71000110,chardev=STDIO0 \
>>> -mon id=MON0,chardev=STDIO0,mode=readline \
>>> -nographic \
>>> -vga none \
>>> -machine 
>>> pseries,x-vof=on,cap-cfpc=broken,cap-sbbc=broken,cap-ibs=broken,cap-ccf-assist=off
>>>  \
>>> -m 16G \
>>> -kernel pbuild/kernel-le-guest/vmlinux \
>>> -initrd pb/rootfs.cpio.xz \
>>> -device virtio-scsi-pci,id=vscsi0 \
>>> -drive id=DRIVE0,if=none,file=img/f30le.qcow2,format=qcow2 \
>>> -device scsi-hd,id=scsi-hd0,drive=DRIVE0 \
>>> -enable-kvm \
>>> -bios p/qemu-killslof/pc-bios/vof.bin \
>>> -snapshot \
>>> -smp 1 \
>>> -L /home/aik/t/qemu-ppc64-bios/ \
>>> -trace events=qemu_trace_events \
>>> -d guest_errors \
>>> -chardev socket,id=SOCKET0,server,nowait,path=qemu.mon.ssh55056 \
>>> -mon chardev=SOCKET0,mode=control
>>>
>>> ---
>>> Changes:
>>> v9:
>>> * remove special handling of /rtas/rtas-size as now we always add it in QEMU
>>> * removed leftovers from scsi/grub/stdout/stdin/...
>>>
>>> v8:
>>> * no read/write/seek
>>> * no @dev in instances
>>> * the machine flag is "x-vof" for now
>>>
>>> v7:
>>> * now we have a small firmware which loads at 0 as SLOF and starts from
>>> 0x100 as SLOF
>>> * no MBR/ELF/GRUB business in QEMU anymore
>>> * blockdev is a separate patch
>>> * networking is a separate patch
>>>
>>> v6:
>>> * borrowed a big chunk of commit log introduction from David
>>> * fixed initial stack pointer (points to the highest address of stack)
>>> * traces for "interpret" and others
>>> * disabled  translate_kernel_address() hack so grub can load (work in
>>> progress)
>>> * added "milliseconds" for grub
>>> * fixed "claim" allocator again
>>> * moved FDT_MAX_SIZE to spapr.h as spapr_of_client.c wants it too for CAS
>>> * moved the most code possible from spapr.c to spapr_of_client.c, such as
>>> RTAS, prom entry and FDT build/finalize
>>> * separated blobs
>>> * GRUB now proceeds to its console prompt (there are still other issues)
>>> * parse MBR/GPT to find PReP and load GRUB
>>>

Re: [PATCH 18/26] hw/usb/bus: Add usb_get_port_path()

[Alistair Francis]

On Sat, Jul 4, 2020 at 8:00 AM Philippe Mathieu-Daudé  wrote:
>
> Refactor usb_get_full_dev_path() to take a 'want_full_path'
> argument, and add usb_get_port_path() which returns a short
> path.
>
> Signed-off-by: Philippe Mathieu-Daudé 

Reviewed-by: Alistair Francis 

Alistair

> ---
>  include/hw/usb.h | 10 ++
>  hw/usb/bus.c | 18 +-
>  2 files changed, 23 insertions(+), 5 deletions(-)
>
> diff --git a/include/hw/usb.h b/include/hw/usb.h
> index 8c3bc920ff..7ea502d421 100644
> --- a/include/hw/usb.h
> +++ b/include/hw/usb.h
> @@ -506,6 +506,16 @@ void usb_port_location(USBPort *downstream, USBPort 
> *upstream, int portnr);
>  void usb_unregister_port(USBBus *bus, USBPort *port);
>  void usb_claim_port(USBDevice *dev, Error **errp);
>  void usb_release_port(USBDevice *dev);
> +/**
> + * usb_get_port_path:
> + * @dev: the USB device
> + *
> + * The returned data must be released with g_free()
> + * when no longer required.
> + *
> + * Returns: a dynamically allocated pathname.
> + */
> +char *usb_get_port_path(USBDevice *dev);
>  void usb_device_attach(USBDevice *dev, Error **errp);
>  int usb_device_detach(USBDevice *dev);
>  void usb_check_attach(USBDevice *dev, Error **errp);
> diff --git a/hw/usb/bus.c b/hw/usb/bus.c
> index fad8194bf5..518e5b94ed 100644
> --- a/hw/usb/bus.c
> +++ b/hw/usb/bus.c
> @@ -577,12 +577,10 @@ static void usb_bus_dev_print(Monitor *mon, DeviceState 
> *qdev, int indent)
> dev->attached ? ", attached" : "");
>  }
>
> -static char *usb_get_full_dev_path(DeviceState *qdev)
> +static char *usb_get_dev_path(USBDevice *dev, bool want_full_path)
>  {
> -USBDevice *dev = USB_DEVICE(qdev);
> -
> -if (dev->flags & (1 << USB_DEV_FLAG_FULL_PATH)) {
> -DeviceState *hcd = qdev->parent_bus->parent;
> +if (want_full_path && (dev->flags & (1 << USB_DEV_FLAG_FULL_PATH))) {
> +DeviceState *hcd = DEVICE(dev)->parent_bus->parent;
>  char *id = qdev_get_dev_path(hcd);
>
>  if (id) {
> @@ -594,6 +592,16 @@ static char *usb_get_full_dev_path(DeviceState *qdev)
>  return g_strdup(dev->port->path);
>  }
>
> +static char *usb_get_full_dev_path(DeviceState *qdev)
> +{
> +return usb_get_dev_path(USB_DEVICE(qdev), true);
> +}
> +
> +char *usb_get_port_path(USBDevice *dev)
> +{
> +return usb_get_dev_path(dev, false);
> +}
> +
>  static char *usb_get_fw_dev_path(DeviceState *qdev)
>  {
>  USBDevice *dev = USB_DEVICE(qdev);
> --
> 2.21.3
>
>

Re: [PATCH 19/26] hw/ppc/spapr: Use usb_get_port_path()

[Alistair Francis]

On Sat, Jul 4, 2020 at 7:59 AM Philippe Mathieu-Daudé  wrote:
>
> To avoid to access the USBDevice internals, and use the
> recently added usb_get_port_path() helper instead.
>
> Signed-off-by: Philippe Mathieu-Daudé 

Reviewed-by: Alistair Francis 

Alistair

> ---
>  hw/ppc/spapr.c | 6 --
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
> index f6f034d039..221d3e7a8c 100644
> --- a/hw/ppc/spapr.c
> +++ b/hw/ppc/spapr.c
> @@ -3121,7 +3121,8 @@ static char *spapr_get_fw_dev_path(FWPathProvider *p, 
> BusState *bus,
>   * We use SRP luns of the form 0100 | (usb-port << 16) | lun
>   * in the top 32 bits of the 64-bit LUN
>   */
> -unsigned usb_port = atoi(usb->port->path);
> +g_autofree char *usb_port_path = usb_get_port_path(usb);
> +unsigned usb_port = atoi(usb_port_path);
>  unsigned id = 0x100 | (usb_port << 16) | d->lun;
>  return g_strdup_printf("%s@%"PRIX64, qdev_fw_name(dev),
> (uint64_t)id << 32);
> @@ -3137,7 +3138,8 @@ static char *spapr_get_fw_dev_path(FWPathProvider *p, 
> BusState *bus,
>  if (strcmp("usb-host", qdev_fw_name(dev)) == 0) {
>  USBDevice *usbdev = CAST(USBDevice, dev, TYPE_USB_DEVICE);
>  if (usb_host_dev_is_scsi_storage(usbdev)) {
> -return g_strdup_printf("storage@%s/disk", usbdev->port->path);
> +g_autofree char *usb_port_path = usb_get_port_path(usbdev);
> +return g_strdup_printf("storage@%s/disk", usb_port_path);
>  }
>  }
>
> --
> 2.21.3
>
>

[PATCH] linux-user: Use EPROTONOSUPPORT for unimplemented netlink protocols

[Josh Kunz]

Linux uses the EPROTONOSUPPORT error code[1] if the users requests a
netlink socket with an unsupported netlink protocol. This change
switches linux-user to use the same code as Linux, instead of
EPFNOSUPPORT (which AFAIK is just an anachronistic version of
EAFNOSUPPORT).

Tested by compiling all linux-user targets on x86.

[1]:
https://github.com/torvalds/linux/blob/bfe91da29bfad9941d5d703d45e29f0812a20724/net/netlink/af_netlink.c#L683

Signed-off-by: Josh Kunz 
---
 linux-user/syscall.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 97de9fb5c9..4ab9852600 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -2987,7 +2987,7 @@ static abi_long do_socket(int domain, int type, int 
protocol)
 #endif
  protocol == NETLINK_KOBJECT_UEVENT ||
  protocol == NETLINK_AUDIT)) {
-return -TARGET_EPFNOSUPPORT;
+return -TARGET_EPROTONOSUPPORT;
 }
 
 if (domain == AF_PACKET ||
-- 
2.27.0.212.ge8ba1cc988-goog

[PATCH 19/21] tests/tcg/xtensa: add DFP0 arith tests

[Max Filippov]

Add test for basic double precision opcode properties.

Signed-off-by: Max Filippov 
---
 tests/tcg/xtensa/test_dfp0_arith.S | 153 +
 1 file changed, 153 insertions(+)
 create mode 100644 tests/tcg/xtensa/test_dfp0_arith.S

diff --git a/tests/tcg/xtensa/test_dfp0_arith.S 
b/tests/tcg/xtensa/test_dfp0_arith.S
new file mode 100644
index ..f2c72f97938d
--- /dev/null
+++ b/tests/tcg/xtensa/test_dfp0_arith.S
@@ -0,0 +1,153 @@
+#include "macros.inc"
+#include "fpu.h"
+
+test_suite fp0_arith
+
+#if XCHAL_HAVE_DFP
+
+.macro movfp fr, v
+movia2, ((\v) >> 32) & 0x
+movia3, ((\v) & 0x)
+wfrd\fr, a2, a3
+.endm
+
+.macro check_res fr, r, sr
+rfrda2, \fr
+dumpa2
+movia3, ((\r) >> 32) & 0x
+assert  eq, a2, a3
+rfra2, \fr
+dumpa2
+movia3, ((\r) & 0x)
+assert  eq, a2, a3
+rur a2, fsr
+movia3, \sr
+assert  eq, a2, a3
+.endm
+
+test add_d
+movia2, 1
+wsr a2, cpenable
+
+/* MAX_FLOAT + MAX_FLOAT = +inf/MAX_FLOAT  */
+test_op2 add.d, f6, f7, f8, F64_MAX, F64_MAX, \
+F64_PINF, F64_MAX, F64_PINF, F64_MAX, \
+  FSR_OI,  FSR_OI,   FSR_OI,  FSR_OI
+test_end
+
+test add_d_inf
+/* 1 + +inf = +inf  */
+test_op2 add.d, f6, f7, f8, F64_1, F64_PINF, \
+F64_PINF, F64_PINF, F64_PINF, F64_PINF, \
+   FSR__,FSR__,FSR__,FSR__
+
+/* +inf + -inf = default NaN */
+test_op2 add.d, f0, f1, f2, F64_PINF, F64_NINF, \
+F64_DNAN, F64_DNAN, F64_DNAN, F64_DNAN, \
+   FSR_V,FSR_V,FSR_V,FSR_V
+test_end
+
+test add_d_nan_dfpu
+/* 1 + QNaN = QNaN  */
+test_op2 add.d, f9, f10, f11, F64_1, F64_QNAN(1), \
+F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), \
+  FSR__,   FSR__,   FSR__,   FSR__
+/* 1 + SNaN = QNaN  */
+test_op2 add.d, f12, f13, f14, F64_1, F64_SNAN(1), \
+F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), \
+  FSR_V,   FSR_V,   FSR_V,   FSR_V
+
+/* SNaN1 + SNaN2 = QNaN2 */
+test_op2 add.d, f15, f0, f1, F64_SNAN(1), F64_SNAN(2), \
+F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), \
+  FSR_V,   FSR_V,   FSR_V,   FSR_V
+/* QNaN1 + SNaN2 = QNaN2 */
+test_op2 add.d, f5, f6, f7, F64_QNAN(1), F64_SNAN(2), \
+F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), \
+  FSR_V,   FSR_V,   FSR_V,   FSR_V
+/* SNaN1 + QNaN2 = QNaN2 */
+test_op2 add.d, f8, f9, f10, F64_SNAN(1), F64_QNAN(2), \
+F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), \
+  FSR_V,   FSR_V,   FSR_V,   FSR_V
+test_end
+
+test sub_s
+/* norm - norm = denorm */
+test_op2 sub.d, f6, f7, f8, F64_MIN_NORM | 1, F64_MIN_NORM, \
+0x0001, 0x0001, 0x0001, 0x0001, \
+ FSR__,  FSR__,  FSR__,  FSR__
+test_end
+
+test mul_s
+test_op2 mul.d, f0, f1, f2, F64_1 | 1, F64_1 | 1, \
+F64_1 | 2, F64_1 | 2, F64_1 | 3, F64_1 | 2, \
+FSR_I, FSR_I, FSR_I, FSR_I
+/* MAX_FLOAT/2 * MAX_FLOAT/2 = +inf/MAX_FLOAT  */
+test_op2 mul.d, f6, f7, f8, F64_MAX_2, F64_MAX_2, \
+F64_PINF, F64_MAX, F64_PINF, F64_MAX, \
+  FSR_OI,  FSR_OI,   FSR_OI,  FSR_OI
+/* min norm * min norm = 0/denorm */
+test_op2 mul.d, f6, f7, f8, F64_MIN_NORM, F64_MIN_NORM, \
+ F64_0,  F64_0, 0x0001,  F64_0, \
+FSR_UI, FSR_UI, FSR_UI, FSR_UI
+/* inf * 0 = default NaN */
+test_op2 mul.d, f6, f7, f8, F64_PINF, F64_0, \
+F64_DNAN, F64_DNAN, F64_DNAN, F64_DNAN, \
+   FSR_V,FSR_V,FSR_V,FSR_V
+test_end
+
+test madd_d
+test_op3 madd.d, f0, f1, f2, f0, F64_0, F64_1 | 1, F64_1 | 1, \
+F64_1 | 2, F64_1 | 2, F64_1 | 3, F64_1 | 2, \
+FSR_I, FSR_I, FSR_I, FSR_I
+test_end
+
+test madd_d_precision
+test_op3 madd.d, f0, f1, f2, f0, \
+F64_MINUS | F64_1 | 2, F64_1 | 1, F64_1 | 1, \
+0x3970, 0x3970, 0x3970, 
0x3970, \
+ FSR__,  FSR__,  FSR__,  FSR__
+test_end
+
+test madd_d_nan_dfpu
+/* DFPU madd/msub NaN1, NaN2, NaN3 priority: NaN1, NaN3, NaN2 */
+test_op3 madd.d, f0, f1, f2, f0, F64_QNAN(1), F64_1, F64_1, \
+F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), F64_QNAN(1), \
+  FSR__,   FSR__,   FSR__,   FSR__
+test_op3 madd.d, f0, f1, f2, f0, F64_1, F64_QNAN(2), F64_1, \
+F64_QNAN(2), F64_QNAN(2), F64_QNAN(2), F64_QNAN(2), \
+  FSR__,   FSR__,   FSR__,   FSR__
+test_op3 madd.d, f0, f1, f2, f0, F64_1, F64_1, F64_QNAN(3), \
+F64_QNAN(3), F64_QNAN(3), F64_QNAN(3), F64_QNAN(3), \
+  FSR__,   FSR__,   FSR__,   FSR__
+
+test_op3 madd.d, f0, f1, f2, f0, F64_QNAN(1), F64_QNAN(2), F64_1, \
+ 

[PATCH 18/21] tests/tcg/xtensa: test double precision load/store

[Max Filippov]

Add ldi[p]/sdi[p]/ldx[p]/sdx[p] opcode tests to test_lsc.

Signed-off-by: Max Filippov 
---
 tests/tcg/xtensa/test_lsc.S | 123 
 1 file changed, 123 insertions(+)

diff --git a/tests/tcg/xtensa/test_lsc.S b/tests/tcg/xtensa/test_lsc.S
index 9d59c1815a9e..348822bdd359 100644
--- a/tests/tcg/xtensa/test_lsc.S
+++ b/tests/tcg/xtensa/test_lsc.S
@@ -140,4 +140,127 @@ test_end
 
 #endif
 
+#if XCHAL_HAVE_DFP
+
+#if XCHAL_HAVE_BE
+#define F64_HIGH_OFF 0
+#else
+#define F64_HIGH_OFF 4
+#endif
+
+.macro movdf fr, hi, lo
+movia2, \hi
+movia3, \lo
+wfrd\fr, a2, a3
+.endm
+
+test ldi
+movia2, 1
+wsr a2, cpenable
+
+movia2, 1f
+ldi f1, a2, 8
+ldi f2, a2, 16
+ldipf0, a2, 16
+movia3, 1f + 16
+assert  eq, a2, a3
+rfrda2, f0
+movia3, 0x3ff0
+assert  eq, a2, a3
+rfrda2, f1
+movia3, 0x4000
+assert  eq, a2, a3
+rfrda2, f2
+movia3, 0x4008
+assert  eq, a2, a3
+.data
+.align  8
+1:
+.double 1, 2, 3
+.text
+test_end
+
+test sdi
+movdf   f3, 0x4080, 0
+movdf   f4, 0x40a0, 0
+movdf   f5, 0x40c0, 0
+movia2, 1f
+sdi f4, a2, 8
+sdi f5, a2, 16
+sdipf3, a2, 16
+movia3, 1f + 16
+assert  eq, a2, a3
+l32ia4, a2, -16 + F64_HIGH_OFF
+movia3, 0x4080
+assert  eq, a4, a3
+l32ia4, a2, -8 + F64_HIGH_OFF
+movia3, 0x40a0
+assert  eq, a4, a3
+l32ia4, a2, F64_HIGH_OFF
+movia3, 0x40c0
+assert  eq, a4, a3
+.data
+.align  8
+1:
+.double 0, 0, 0
+.text
+test_end
+
+test ldx
+movia2, 1f
+movia3, 0
+movia4, 8
+movia5, 16
+ldx f7, a2, a4
+ldx f8, a2, a5
+ldxpf6, a2, a5
+movia3, 1f + 16
+assert  eq, a2, a3
+rfrda2, f6
+movia3, 0x401c
+assert  eq, a2, a3
+rfrda2, f7
+movia3, 0x4020
+assert  eq, a2, a3
+rfrda2, f8
+movia3, 0x4022
+assert  eq, a2, a3
+.data
+.align  8
+1:
+.double 7, 8, 9
+.text
+test_end
+
+test sdx
+movdf   f9, 0x4120, 0
+movdf   f10, 0x4130, 0
+movdf   f11, 0x4140, 0
+movia2, 1f
+movia3, 0
+movia4, 8
+movia5, 16
+sdx f10, a2, a4
+sdx f11, a2, a5
+sdxpf9, a2, a5
+movia3, 1f + 16
+assert  eq, a2, a3
+l32ia4, a2, -16 + F64_HIGH_OFF
+movia3, 0x4120
+assert  eq, a4, a3
+l32ia4, a2, -8 + F64_HIGH_OFF
+movia3, 0x4130
+assert  eq, a4, a3
+l32ia4, a2, F64_HIGH_OFF
+movia3, 0x4140
+assert  eq, a4, a3
+.data
+.align  8
+1:
+.double 0, 0, 0
+.text
+test_end
+
+#endif
+
 test_suite_end
-- 
2.20.1

[PATCH 15/21] tests/tcg/xtensa: update test_fp1 for DFPU

[Max Filippov]

DFPU sets Invalid flag in FSR when at least one argument of FP
comparison opcodes is NaN, SNaN for most opcodes, any NaN for olt/ole.
Add checks for FSR and expected FSR values.

Signed-off-by: Max Filippov 
---
 tests/tcg/xtensa/test_fp1.S | 62 -
 1 file changed, 34 insertions(+), 28 deletions(-)

diff --git a/tests/tcg/xtensa/test_fp1.S b/tests/tcg/xtensa/test_fp1.S
index 6e182e5964bd..77336a3fcf2c 100644
--- a/tests/tcg/xtensa/test_fp1.S
+++ b/tests/tcg/xtensa/test_fp1.S
@@ -1,4 +1,5 @@
 #include "macros.inc"
+#include "fpu.h"
 
 test_suite fp1
 
@@ -9,7 +10,7 @@ test_suite fp1
 wfr \fr, a2
 .endm
 
-.macro test_ord_ex op, br, fr0, fr1, v0, v1, r
+.macro test_ord_ex op, br, fr0, fr1, v0, v1, r, sr
 movia2, 0
 wur a2, fsr
 movfp   \fr0, \v0
@@ -20,65 +21,70 @@ test_suite fp1
 movta2, a3, \br
 assert  eqi, a2, \r
 rur a2, fsr
+#if DFPU
+movia3, \sr
+assert  eq, a2, a3
+#else
 assert  eqi, a2, 0
+#endif
 .endm
 
-.macro test_ord op, br, fr0, fr1, v0, v1, r
+.macro test_ord op, br, fr0, fr1, v0, v1, r, sr
 movia2, 0
 wur a2, fcr
-test_ord_ex \op, \br, \fr0, \fr1, \v0, \v1, \r
+test_ord_ex \op, \br, \fr0, \fr1, \v0, \v1, \r, \sr
 movia2, 0x7c
 wur a2, fcr
-test_ord_ex \op, \br, \fr0, \fr1, \v0, \v1, \r
+test_ord_ex \op, \br, \fr0, \fr1, \v0, \v1, \r, \sr
 .endm
 
-.macro test_ord_all op, aa, ab, ba, aPI, PIa, aN, Na, II, IN, NI
-test_ord \op  b0,  f0,  f1, 0x3f80, 0x3f80, \aa
-test_ord \op  b1,  f2,  f3, 0x3f80, 0x3fc0, \ab
-test_ord \op  b2,  f4,  f5, 0x3fc0, 0x3f80, \ba
-test_ord \op  b3,  f6,  f7, 0x3f80, 0x7f80, \aPI
-test_ord \op  b4,  f8,  f9, 0x7f80, 0x3f80, \PIa
-test_ord \op  b5, f10, f11, 0x3f80, 0xffc1, \aN
-test_ord \op  b6, f12, f13, 0x3f80, 0xff81, \aN
-test_ord \op  b7, f14, f15, 0x3f80, 0x7f81, \aN
-test_ord \op  b8,  f0,  f1, 0x3f80, 0x7fc0, \aN
-test_ord \op  b9,  f2,  f3, 0xffc1, 0x3f80, \Na
-test_ord \op b10,  f4,  f5, 0xff81, 0x3f80, \Na
-test_ord \op b11,  f6,  f7, 0x7f81, 0x3f80, \Na
-test_ord \op b12,  f8,  f9, 0x7fc0, 0x3f80, \Na
-test_ord \op b13, f10, f11, 0x7f80, 0x7f80, \II
-test_ord \op b14, f12, f13, 0x7f80, 0x7fc0, \IN
-test_ord \op b15, f14, f15, 0x7fc0, 0x7f80, \NI
+.macro test_ord_all op, aa, ab, ba, aPI, PIa, aN, Na, II, IN, NI, qnan_sr
+test_ord \op  b0,  f0,  f1, 0x3f80, 0x3f80, \aa,  FSR__/*   
ord == ord */
+test_ord \op  b1,  f2,  f3, 0x3f80, 0x3fc0, \ab,  FSR__/*   
ord <  ord */
+test_ord \op  b2,  f4,  f5, 0x3fc0, 0x3f80, \ba,  FSR__/*   
ord >  ord */
+test_ord \op  b3,  f6,  f7, 0x3f80, 0x7f80, \aPI, FSR__/*   
ord   +INF */
+test_ord \op  b4,  f8,  f9, 0x7f80, 0x3f80, \PIa, FSR__/*  
+INFord */
+test_ord \op  b5, f10, f11, 0x3f80, 0xffc1, \aN,  \qnan_sr /*   
ord  -QNaN */
+test_ord \op  b6, f12, f13, 0x3f80, 0xff81, \aN,  FSR_V/*   
ord  -SNaN */
+test_ord \op  b7, f14, f15, 0x3f80, 0x7f81, \aN,  FSR_V/*   
ord  +SNaN */
+test_ord \op  b8,  f0,  f1, 0x3f80, 0x7fc0, \aN,  \qnan_sr /*   
ord  +QNaN */
+test_ord \op  b9,  f2,  f3, 0xffc1, 0x3f80, \Na,  \qnan_sr /* 
-QNaNord */
+test_ord \op b10,  f4,  f5, 0xff81, 0x3f80, \Na,  FSR_V/* 
-SNaNord */
+test_ord \op b11,  f6,  f7, 0x7f81, 0x3f80, \Na,  FSR_V/* 
+SNaNord */
+test_ord \op b12,  f8,  f9, 0x7fc0, 0x3f80, \Na,  \qnan_sr /* 
+QNaNord */
+test_ord \op b13, f10, f11, 0x7f80, 0x7f80, \II,  FSR__/*  
+INF   +INF */
+test_ord \op b14, f12, f13, 0x7f80, 0x7fc0, \IN,  \qnan_sr /*  
+INF  +QNaN */
+test_ord \op b15, f14, f15, 0x7fc0, 0x7f80, \NI,  \qnan_sr /* 
+QNaN   +INF */
 .endm
 
 test un_s
 movia2, 1
 wsr a2, cpenable
-test_ord_all un.s, 0, 0, 0, 0, 0, 1, 1, 0, 1, 1
+test_ord_all un.s, 0, 0, 0, 0, 0, 1, 1, 0, 1, 1, FSR__
 test_end
 
 test oeq_s
-test_ord_all oeq.s, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0
+test_ord_all oeq.s, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, FSR__
 test_end
 
 test ueq_s
-test_ord_all ueq.s, 1, 0, 0, 0, 0, 1, 1, 1, 1, 1
+test_ord_all ueq.s, 1, 0, 0, 0, 0, 1, 1, 1, 1, 1, FSR__
 test_end
 
 test olt_s
-test_ord_all olt.s, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0
+test_ord_all olt.s, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, FSR_V
 test_end
 
 test ult_s
-test_ord_all ult.s, 0, 1, 0, 1, 0, 1, 1, 0, 1, 1
+test_ord_all ult.s, 0, 1, 0, 1, 0, 1, 1, 0, 1, 1, FSR__
 test_end
 
 test ole_s
-test_ord_all ole.s, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0
+test_ord_all ole.s, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, FSR_V
 test_end
 
 test ule_s
-test_ord_all ule.s, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1
+test_ord_all ule.s, 1,

[PATCH 17/21] tests/tcg/xtensa: add fp0 div and sqrt tests

[Max Filippov]

Test exact division/sqrt DFPU sequences.

Signed-off-by: Max Filippov 
---
 tests/tcg/xtensa/test_fp0_div.S  | 82 
 tests/tcg/xtensa/test_fp0_sqrt.S | 76 +
 2 files changed, 158 insertions(+)
 create mode 100644 tests/tcg/xtensa/test_fp0_div.S
 create mode 100644 tests/tcg/xtensa/test_fp0_sqrt.S

diff --git a/tests/tcg/xtensa/test_fp0_div.S b/tests/tcg/xtensa/test_fp0_div.S
new file mode 100644
index ..c3e7ad7bb5b3
--- /dev/null
+++ b/tests/tcg/xtensa/test_fp0_div.S
@@ -0,0 +1,82 @@
+#include "macros.inc"
+#include "fpu.h"
+
+test_suite fp0_div
+
+#if XCHAL_HAVE_FP_DIV
+
+.macro  divs_seq q, a, b, r, y, y0, an, bn, e, ex
+div0.s  \y0, \b
+nexp01.s\bn, \b
+const.s \e, 1
+maddn.s \e, \bn, \y0
+mov.s   \y, \y0
+mov.s   \ex, \b
+nexp01.s\an, \a
+maddn.s \y, \e, \y0
+const.s \e, 1
+const.s \q, 0
+neg.s   \r, \an
+maddn.s \e, \bn, \y
+maddn.s \q, \r, \y0
+mkdadj.s\ex, \a
+maddn.s \y, \e, \y
+maddn.s \r, \bn, \q
+const.s \e, 1
+maddn.s \e, \bn, \y
+maddn.s \q, \r, \y
+neg.s   \r, \an
+maddn.s \y, \e, \y
+maddn.s \r, \bn, \q
+addexpm.s   \q, \ex
+addexp.s\y, \ex
+divn.s  \q, \r, \y
+.endm
+
+.macro div_s fr0, fr1, fr2
+divs_seq\fr0, \fr1, \fr2, f9, f10, f11, f12, f13, f14, f15
+.endm
+
+.macro movfp fr, v
+movia2, \v
+wfr \fr, a2
+.endm
+
+.macro check_res fr, r, sr
+rfr a2, \fr
+dumpa2
+movia3, \r
+assert  eq, a2, a3
+rur a2, fsr
+movia3, \sr
+assert  eq, a2, a3
+.endm
+
+test div_s
+movia2, 1
+wsr a2, cpenable
+
+test_op2div_s, f0, f1, f2, 0x4000, 0x4040, \
+0x3f2b, 0x3f2a, 0x3f2b, 0x3f2a, \
+ FSR_I,  FSR_I,  FSR_I,  FSR_I
+test_op2div_s, f3, f4, f5, F32_1, F32_0, \
+F32_PINF, F32_PINF, F32_PINF, F32_PINF, \
+   FSR_Z,FSR_Z,FSR_Z,FSR_Z
+test_op2div_s, f6, f7, f8, F32_0, F32_0, \
+F32_DNAN, F32_DNAN, F32_DNAN, F32_DNAN, \
+   FSR_V,FSR_V,FSR_V,FSR_V
+
+/* MAX_FLOAT / 0.5 = +inf/MAX_FLOAT  */
+test_op2div_s, f0, f1, f2, F32_MAX, F32_0_5, \
+F32_PINF, F32_MAX, F32_PINF, F32_MAX, \
+  FSR_OI,  FSR_OI,   FSR_OI,  FSR_OI
+
+/* 0.5 / MAX_FLOAT = denorm  */
+test_op2div_s, f0, f1, f2, F32_0_5, F32_MAX, \
+0x0010, 0x0010, 0x0011, 0x0010, \
+FSR_UI, FSR_UI, FSR_UI, FSR_UI
+test_end
+
+#endif
+
+test_suite_end
diff --git a/tests/tcg/xtensa/test_fp0_sqrt.S b/tests/tcg/xtensa/test_fp0_sqrt.S
new file mode 100644
index ..585973dce6bc
--- /dev/null
+++ b/tests/tcg/xtensa/test_fp0_sqrt.S
@@ -0,0 +1,76 @@
+#include "macros.inc"
+#include "fpu.h"
+
+test_suite fp0_sqrt
+
+#if XCHAL_HAVE_FP_SQRT
+
+.macro  sqrt_seq r, a, y, t1, hn, h2, t5, h
+sqrt0.s \y, \a
+const.s \t1, 0
+maddn.s \t1, \y, \y
+nexp01.s\hn, \a
+const.s \r, 3
+addexp.s\hn, \r
+maddn.s \r, \t1, \hn
+nexp01.s\t1, \a
+neg.s   \h2, \t1
+maddn.s \y, \r, \y
+const.s \r, 0
+const.s \t5, 0
+const.s \h, 0
+maddn.s \r, \h2, \y
+maddn.s \t5, \y, \hn
+const.s \hn, 3
+maddn.s \h, \hn, \y
+maddn.s \t1, \r, \r
+maddn.s \hn, \t5, \y
+neg.s   \y, \h
+maddn.s \r, \t1, \y
+maddn.s \h, \hn, \h
+mksadj.s\y, \a
+nexp01.s\a, \a
+maddn.s \a, \r, \r
+neg.s   \t1, \h
+addexpm.s   \r, \y
+addexp.s\t1, \y
+divn.s  \r, \a, \t1
+.endm
+
+.macro sqrt_s fr0, fr1
+sqrt_seq\fr0, \fr1, f10, f11, f12, f13, f14, f15
+.endm
+
+.macro movfp fr, v
+movia2, \v
+wfr \fr, a2
+.endm
+
+.macro check_res fr, r, sr
+rfr a2, \fr
+dumpa2
+movia3, \r
+assert  eq, a2, a3
+rur a2, fsr
+movia3, \sr
+assert  eq, a2, a3
+.endm
+
+test sqrt_s
+movia2, 1
+wsr a2, cpenable
+
+test_op1sqrt_s, f0, f1, 0x4000, \
+0x3fb504f3, 0x3fb504f3, 0x3fb504f4, 0x3fb504f3, \
+ FSR_I,  FSR_I,  FSR_I,  FSR_I
+test_op1sqrt_s, f3, f4, F32_1, \
+F32_1, F32_1, F32_1, F32_1, \
+FSR__, FSR__, FSR__, FSR__
+test_op1sqrt_s, f6, f7, F32_MINUS | F32_1, \
+F32_DNAN, F32_DNAN, F32_DNAN, F32_DNAN, \
+   FSR_V,FSR_V,FSR_V,FSR_V
+test_end
+
+#endif
+
+test_suite_end
-- 
2.20.1

[PATCH 11/21] tests/tcg/xtensa: fix test execution on ISS

[Max Filippov]

Space for test results may be allocated in IRAM which is only
word-accessible. Use full 32-bit words to access test results.

Signed-off-by: Max Filippov 
---
 tests/tcg/xtensa/macros.inc | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/tests/tcg/xtensa/macros.inc b/tests/tcg/xtensa/macros.inc
index aa8f95bce879..f88937c7bf82 100644
--- a/tests/tcg/xtensa/macros.inc
+++ b/tests/tcg/xtensa/macros.inc
@@ -3,7 +3,7 @@
 .macro test_suite name
 .data
 status: .word result
-result: .space 256
+result: .space 1024
 .text
 .global main
 .align 4
@@ -25,9 +25,9 @@ main:
 movia3, 0
 beqza2, 2f
 1:
-l8uia1, a0, 0
+l32ia1, a0, 0
 or  a3, a3, a1
-addia0, a0, 1
+addia0, a0, 4
 addia2, a2, -1
 bneza2, 1b
 2:
@@ -65,7 +65,7 @@ test_\name:
 reset_ps
 movia2, status
 l32ia3, a2, 0
-addia3, a3, 1
+addia3, a3, 4
 s32ia3, a2, 0
 .endm
 
@@ -78,7 +78,7 @@ test_\name:
 movia2, status
 l32ia2, a2, 0
 movia3, 1
-s8i a3, a2, 0
+s32ia3, a2, 0
 #ifdef DEBUG
 print   failed
 #endif
-- 
2.20.1

[PATCH 16/21] tests/tcg/xtensa: update test_lsc for DFPU

[Max Filippov]

DFPU doesn't have pre-increment FP load/store opcodes, it has
post-increment opcodes instead. Test increment opcodes present in the
current config.

Signed-off-by: Max Filippov 
---
 tests/tcg/xtensa/test_lsc.S | 47 +++--
 1 file changed, 34 insertions(+), 13 deletions(-)

diff --git a/tests/tcg/xtensa/test_lsc.S b/tests/tcg/xtensa/test_lsc.S
index 0578bf19e72e..9d59c1815a9e 100644
--- a/tests/tcg/xtensa/test_lsc.S
+++ b/tests/tcg/xtensa/test_lsc.S
@@ -1,4 +1,5 @@
 #include "macros.inc"
+#include "fpu.h"
 
 test_suite lsc
 
@@ -9,9 +10,14 @@ test lsi
 wsr a2, cpenable
 
 movia2, 1f
-lsi f0, a2, 0
 lsi f1, a2, 4
+#if DFPU
+lsi f2, a2, 8
+lsipf0, a2, 8
+#else
+lsi f0, a2, 0
 lsiuf2, a2, 8
+#endif
 movia3, 1f + 8
 assert  eq, a2, a3
 rfr a2, f0
@@ -34,13 +40,18 @@ test ssi
 movia2, 1f
 movia3, 0x4080
 wfr f3, a3
-ssi f3, a2, 0
 movia3, 0x40a0
 wfr f4, a3
-ssi f4, a2, 4
 movia3, 0x40c0
 wfr f5, a3
+ssi f4, a2, 4
+#if DFPU
+ssi f5, a2, 8
+ssipf3, a2, 8
+#else
+ssi f3, a2, 0
 ssiuf5, a2, 8
+#endif
 movia3, 1f + 8
 assert  eq, a2, a3
 l32ia4, a2, -8
@@ -62,11 +73,16 @@ test_end
 test lsx
 movia2, 1f
 movia3, 0
+movia4, 4
+movia5, 8
+lsx f7, a2, a4
+#if DFPU
+lsx f8, a2, a5
+lsxpf6, a2, a5
+#else
 lsx f6, a2, a3
-movia3, 4
-lsx f7, a2, a3
-movia3, 8
-lsxuf8, a2, a3
+lsxuf8, a2, a5
+#endif
 movia3, 1f + 8
 assert  eq, a2, a3
 rfr a2, f6
@@ -87,18 +103,23 @@ test_end
 
 test ssx
 movia2, 1f
-movia3, 0
 movia4, 0x4120
 wfr f9, a4
-ssx f9, a2, a3
-movia3, 4
 movia4, 0x4130
 wfr f10, a4
-ssx f10, a2, a3
-movia3, 8
 movia4, 0x4140
 wfr f11, a4
-ssxuf11, a2, a3
+movia3, 0
+movia4, 4
+movia5, 8
+ssx f10, a2, a4
+#if DFPU
+ssx f11, a2, a5
+ssxpf9, a2, a5
+#else
+ssx f9, a2, a3
+ssxuf11, a2, a5
+#endif
 movia3, 1f + 8
 assert  eq, a2, a3
 l32ia4, a2, -8
-- 
2.20.1

[PATCH 14/21] tests/tcg/xtensa: update test_fp0_conv for DFPU

[Max Filippov]

DFPU conversion opcodes update FSR flags. Add FSR parameters and
expected FSR register values for the conversion tests.

Signed-off-by: Max Filippov 
---
 tests/tcg/xtensa/test_fp0_conv.S | 299 ---
 1 file changed, 155 insertions(+), 144 deletions(-)

diff --git a/tests/tcg/xtensa/test_fp0_conv.S b/tests/tcg/xtensa/test_fp0_conv.S
index 147e3d5062df..cfee6e51790c 100644
--- a/tests/tcg/xtensa/test_fp0_conv.S
+++ b/tests/tcg/xtensa/test_fp0_conv.S
@@ -1,4 +1,5 @@
 #include "macros.inc"
+#include "fpu.h"
 
 test_suite fp0_conv
 
@@ -9,7 +10,7 @@ test_suite fp0_conv
 wfr \fr, a2
 .endm
 
-.macro test_ftoi_ex op, r0, fr0, v, c, r
+.macro test_ftoi_ex op, r0, fr0, v, c, r, sr
 movia2, 0
 wur a2, fsr
 movfp   \fr0, \v
@@ -18,20 +19,25 @@ test_suite fp0_conv
 movia3, \r
 assert  eq, \r0, a3
 rur a2, fsr
+#if DFPU
+movia3, \sr
+assert  eq, a2, a3
+#else
 assert  eqi, a2, 0
+#endif
 .endm
 
-.macro test_ftoi op, r0, fr0, v, c, r
+.macro test_ftoi op, r0, fr0, v, c, r, sr
 movia2, 0
 wur a2, fcr
-test_ftoi_ex \op, \r0, \fr0, \v, \c, \r
+test_ftoi_ex \op, \r0, \fr0, \v, \c, \r, \sr
 movia2, 0x7c
 wur a2, fcr
-test_ftoi_ex \op, \r0, \fr0, \v, \c, \r
+test_ftoi_ex \op, \r0, \fr0, \v, \c, \r, \sr
 .endm
 
 
-.macro test_itof_ex op, fr0, ar0, v, c, r
+.macro test_itof_ex op, fr0, ar0, v, c, r, sr
 movia2, 0
 wur a2, fsr
 movi\ar0, \v
@@ -42,23 +48,28 @@ test_suite fp0_conv
 movia3, \r
 assert  eq, a2, a3
 rur a2, fsr
+#if DFPU
+movia3, \sr
+assert  eq, a2, a3
+#else
 assert  eqi, a2, 0
+#endif
 .endm
 
-.macro test_itof_rm op, fr0, ar0, v, c, rm, r
+.macro test_itof_rm op, fr0, ar0, v, c, rm, r, sr
 movia2, \rm
 wur a2, fcr
-test_itof_ex \op, \fr0, \ar0, \v, \c, \r
+test_itof_ex \op, \fr0, \ar0, \v, \c, \r, \sr
 movia2, (\rm) | 0x7c
 wur a2, fcr
-test_itof_ex \op, \fr0, \ar0, \v, \c, \r
+test_itof_ex \op, \fr0, \ar0, \v, \c, \r, \sr
 .endm
 
-.macro test_itof op, fr0, ar0, v, c, r0, r1, r2, r3
-test_itof_rm \op, \fr0, \ar0, \v, \c, 0, \r0
-test_itof_rm \op, \fr0, \ar0, \v, \c, 1, \r1
-test_itof_rm \op, \fr0, \ar0, \v, \c, 2, \r2
-test_itof_rm \op, \fr0, \ar0, \v, \c, 3, \r3
+.macro test_itof op, fr0, ar0, v, c, r0, r1, r2, r3, sr
+test_itof_rm \op, \fr0, \ar0, \v, \c, 0, \r0, \sr
+test_itof_rm \op, \fr0, \ar0, \v, \c, 1, \r1, \sr
+test_itof_rm \op, \fr0, \ar0, \v, \c, 2, \r2, \sr
+test_itof_rm \op, \fr0, \ar0, \v, \c, 3, \r3, \sr
 .endm
 
 test round_s
@@ -66,237 +77,237 @@ test round_s
 wsr a2, cpenable
 
 /* NaN */
-test_ftoi round.s, a2, f0, 0xffc1, 0, 0x7fff
-test_ftoi round.s, a2, f0, 0xff81, 0, 0x7fff
+test_ftoi round.s, a2, f0, 0xffc1, 0, 0x7fff, FSR_V
+test_ftoi round.s, a2, f0, 0xff81, 0, 0x7fff, FSR_V
 
 /* -inf */
-test_ftoi round.s, a2, f0, 0xff80, 0, 0x8000
+test_ftoi round.s, a2, f0, 0xff80, 0, 0x8000, FSR_V
 
 /* negative overflow */
-test_ftoi round.s, a2, f0, 0xceff, 1, 0x8000
-test_ftoi round.s, a2, f0, 0xcf00, 0, 0x8000
-test_ftoi round.s, a2, f0, 0xceff, 0, 0x8080
+test_ftoi round.s, a2, f0, 0xceff, 1, 0x8000, FSR_V
+test_ftoi round.s, a2, f0, 0xcf00, 0, 0x8000, FSR__
+test_ftoi round.s, a2, f0, 0xceff, 0, 0x8080, FSR__
 
 /* negative */
-test_ftoi round.s, a2, f0, 0xbfa0, 1, -2 /* -1.25 * 2 */
-test_ftoi round.s, a2, f0, 0xbfc0, 0, -2 /* -1.5 */
-test_ftoi round.s, a2, f0, 0xbf80, 1, -2 /* -1 * 2 */
-test_ftoi round.s, a2, f0, 0xbf80, 0, -1 /* -1 */
-test_ftoi round.s, a2, f0, 0xbf40, 0, -1 /* -0.75 */
-test_ftoi round.s, a2, f0, 0xbf00, 0, 0  /* -0.5 */
+test_ftoi round.s, a2, f0, 0xbfa0, 1, -2, FSR_I  /* -1.25 * 2 */
+test_ftoi round.s, a2, f0, 0xbfc0, 0, -2, FSR_I  /* -1.5 */
+test_ftoi round.s, a2, f0, 0xbf80, 1, -2, FSR__  /* -1 * 2 */
+test_ftoi round.s, a2, f0, 0xbf80, 0, -1, FSR__  /* -1 */
+test_ftoi round.s, a2, f0, 0xbf40, 0, -1, FSR_I  /* -0.75 */
+test_ftoi round.s, a2, f0, 0xbf00, 0,  0, FSR_I  /* -0.5 */
 
 /* positive */
-test_ftoi round.s, a2, f0, 0x3f00, 0, 0 /* 0.5 */
-test_ftoi round.s, a2, f0, 0x3f40, 0, 1 /* 0.75 */
-test_ftoi round.s, a2, f0, 0x3f80, 0, 1 /* 1 */
-test_ftoi round.s, a2, f0, 0x3f80, 1, 2 /* 1 * 2 */
-test_ftoi round.s, a2, f0, 0x3fc0, 0, 2 /* 1.5 */
-test_ftoi round.s, a2, f0, 0x3fa0, 1, 2 /* 1.25 * 2 */
+test_ftoi round.s, a2, f0, 0x3f00, 0, 0, FSR_I /* 0.5 */
+test_ftoi round.s, a2, f0, 0x3f40, 0, 1, FSR_I /* 0.75 */
+test_ftoi round.s, a2, f0, 0x3f80, 0, 1, FSR__ /* 1 */
+test_ftoi round.s, a2, f0, 0x3f80, 1, 2, FSR__ /* 1 * 2 */
+test_fto

[PATCH 08/21] target/xtensa: don't access BR regfile directly

[Max Filippov]

BR registers used in FPU comparison opcodes are available as opcode
arguments for translators. Use them. This simplifies comparison helpers
interface and makes them usable in FLIX bundles.

Signed-off-by: Max Filippov 
---
 target/xtensa/fpu_helper.c | 42 +-
 target/xtensa/helper.h | 14 ++---
 target/xtensa/translate.c  | 20 ++
 3 files changed, 42 insertions(+), 34 deletions(-)

diff --git a/target/xtensa/fpu_helper.c b/target/xtensa/fpu_helper.c
index 57a284924045..fae6836d3223 100644
--- a/target/xtensa/fpu_helper.c
+++ b/target/xtensa/fpu_helper.c
@@ -118,49 +118,45 @@ float32 HELPER(uitof_s)(CPUXtensaState *env, uint32_t v, 
uint32_t scale)
   (int32_t)scale, &env->fp_status);
 }
 
-static inline void set_br(CPUXtensaState *env, bool v, uint32_t br)
+uint32_t HELPER(un_s)(CPUXtensaState *env, float32 a, float32 b)
 {
-if (v) {
-env->sregs[BR] |= br;
-} else {
-env->sregs[BR] &= ~br;
-}
-}
-
-void HELPER(un_s)(CPUXtensaState *env, uint32_t br, float32 a, float32 b)
-{
-set_br(env, float32_unordered_quiet(a, b, &env->fp_status), br);
+return float32_unordered_quiet(a, b, &env->fp_status);
 }
 
-void HELPER(oeq_s)(CPUXtensaState *env, uint32_t br, float32 a, float32 b)
+uint32_t HELPER(oeq_s)(CPUXtensaState *env, float32 a, float32 b)
 {
-set_br(env, float32_eq_quiet(a, b, &env->fp_status), br);
+return float32_eq_quiet(a, b, &env->fp_status);
 }
 
-void HELPER(ueq_s)(CPUXtensaState *env, uint32_t br, float32 a, float32 b)
+uint32_t HELPER(ueq_s)(CPUXtensaState *env, float32 a, float32 b)
 {
 FloatRelation v = float32_compare_quiet(a, b, &env->fp_status);
-set_br(env, v == float_relation_equal || v == float_relation_unordered, 
br);
+
+return v == float_relation_equal ||
+   v == float_relation_unordered;
 }
 
-void HELPER(olt_s)(CPUXtensaState *env, uint32_t br, float32 a, float32 b)
+uint32_t HELPER(olt_s)(CPUXtensaState *env, float32 a, float32 b)
 {
-set_br(env, float32_lt_quiet(a, b, &env->fp_status), br);
+return float32_lt_quiet(a, b, &env->fp_status);
 }
 
-void HELPER(ult_s)(CPUXtensaState *env, uint32_t br, float32 a, float32 b)
+uint32_t HELPER(ult_s)(CPUXtensaState *env, float32 a, float32 b)
 {
 FloatRelation v = float32_compare_quiet(a, b, &env->fp_status);
-set_br(env, v == float_relation_less || v == float_relation_unordered, br);
+
+return v == float_relation_less ||
+   v == float_relation_unordered;
 }
 
-void HELPER(ole_s)(CPUXtensaState *env, uint32_t br, float32 a, float32 b)
+uint32_t HELPER(ole_s)(CPUXtensaState *env, float32 a, float32 b)
 {
-set_br(env, float32_le_quiet(a, b, &env->fp_status), br);
+return float32_le_quiet(a, b, &env->fp_status);
 }
 
-void HELPER(ule_s)(CPUXtensaState *env, uint32_t br, float32 a, float32 b)
+uint32_t HELPER(ule_s)(CPUXtensaState *env, float32 a, float32 b)
 {
 FloatRelation v = float32_compare_quiet(a, b, &env->fp_status);
-set_br(env, v != float_relation_greater, br);
+
+return v != float_relation_greater;
 }
diff --git a/target/xtensa/helper.h b/target/xtensa/helper.h
index a692254fe10a..bbada1c0b864 100644
--- a/target/xtensa/helper.h
+++ b/target/xtensa/helper.h
@@ -59,13 +59,13 @@ DEF_HELPER_FLAGS_3(ftoui_s, TCG_CALL_NO_RWG_SE, i32, f32, 
i32, i32)
 DEF_HELPER_3(itof_s, f32, env, i32, i32)
 DEF_HELPER_3(uitof_s, f32, env, i32, i32)
 
-DEF_HELPER_4(un_s, void, env, i32, f32, f32)
-DEF_HELPER_4(oeq_s, void, env, i32, f32, f32)
-DEF_HELPER_4(ueq_s, void, env, i32, f32, f32)
-DEF_HELPER_4(olt_s, void, env, i32, f32, f32)
-DEF_HELPER_4(ult_s, void, env, i32, f32, f32)
-DEF_HELPER_4(ole_s, void, env, i32, f32, f32)
-DEF_HELPER_4(ule_s, void, env, i32, f32, f32)
+DEF_HELPER_3(un_s,  i32, env, f32, f32)
+DEF_HELPER_3(oeq_s, i32, env, f32, f32)
+DEF_HELPER_3(ueq_s, i32, env, f32, f32)
+DEF_HELPER_3(olt_s, i32, env, f32, f32)
+DEF_HELPER_3(ult_s, i32, env, f32, f32)
+DEF_HELPER_3(ole_s, i32, env, f32, f32)
+DEF_HELPER_3(ule_s, i32, env, f32, f32)
 
 DEF_HELPER_2(rer, i32, env, i32)
 DEF_HELPER_3(wer, void, env, i32, i32)
diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
index f859cd3f0818..85bd63dffc9f 100644
--- a/target/xtensa/translate.c
+++ b/target/xtensa/translate.c
@@ -6319,7 +6319,7 @@ enum {
 static void translate_compare_s(DisasContext *dc, const OpcodeArg arg[],
 const uint32_t par[])
 {
-static void (* const helper[])(TCGv_env env, TCGv_i32 bit,
+static void (* const helper[])(TCGv_i32 res, TCGv_env env,
TCGv_i32 s, TCGv_i32 t) = {
 [COMPARE_UN] = gen_helper_un_s,
 [COMPARE_OEQ] = gen_helper_oeq_s,
@@ -6329,10 +6329,22 @@ static void translate_compare_s(DisasContext *dc, const 
OpcodeArg arg[],
 [COMPARE_OLE] = gen_helper_ole_s,
 [COMPARE_ULE] = gen_helper_ule_s,
 };
-TCGv_i32 bit = tcg_const_i32(1 << arg[0].i

[PATCH 06/21] target/xtensa: rename FPU2000 translators and helpers

[Max Filippov]

Add _s suffix to all FPU2000 opcode translators and helpers that also
have double-precision variant to unify naming and allow adding DFPU
implementations. Add _fpu2k_ to the name of wur_fcr helper to make space
for the DFPU wur_fcr helper.

Signed-off-by: Max Filippov 
---
 target/xtensa/fpu_helper.c | 10 +-
 target/xtensa/helper.h | 10 +-
 target/xtensa/translate.c  | 20 ++--
 3 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/target/xtensa/fpu_helper.c b/target/xtensa/fpu_helper.c
index 87487293f9a1..57a284924045 100644
--- a/target/xtensa/fpu_helper.c
+++ b/target/xtensa/fpu_helper.c
@@ -33,7 +33,7 @@
 #include "exec/exec-all.h"
 #include "fpu/softfloat.h"
 
-void HELPER(wur_fcr)(CPUXtensaState *env, uint32_t v)
+void HELPER(wur_fpu2k_fcr)(CPUXtensaState *env, uint32_t v)
 {
 static const int rounding_mode[] = {
 float_round_nearest_even,
@@ -82,7 +82,7 @@ float32 HELPER(msub_s)(CPUXtensaState *env, float32 a, 
float32 b, float32 c)
   &env->fp_status);
 }
 
-uint32_t HELPER(ftoi)(float32 v, uint32_t rounding_mode, uint32_t scale)
+uint32_t HELPER(ftoi_s)(float32 v, uint32_t rounding_mode, uint32_t scale)
 {
 float_status fp_status = {0};
 
@@ -90,7 +90,7 @@ uint32_t HELPER(ftoi)(float32 v, uint32_t rounding_mode, 
uint32_t scale)
 return float32_to_int32(float32_scalbn(v, scale, &fp_status), &fp_status);
 }
 
-uint32_t HELPER(ftoui)(float32 v, uint32_t rounding_mode, uint32_t scale)
+uint32_t HELPER(ftoui_s)(float32 v, uint32_t rounding_mode, uint32_t scale)
 {
 float_status fp_status = {0};
 float32 res;
@@ -106,13 +106,13 @@ uint32_t HELPER(ftoui)(float32 v, uint32_t rounding_mode, 
uint32_t scale)
 }
 }
 
-float32 HELPER(itof)(CPUXtensaState *env, uint32_t v, uint32_t scale)
+float32 HELPER(itof_s)(CPUXtensaState *env, uint32_t v, uint32_t scale)
 {
 return float32_scalbn(int32_to_float32(v, &env->fp_status),
   (int32_t)scale, &env->fp_status);
 }
 
-float32 HELPER(uitof)(CPUXtensaState *env, uint32_t v, uint32_t scale)
+float32 HELPER(uitof_s)(CPUXtensaState *env, uint32_t v, uint32_t scale)
 {
 return float32_scalbn(uint32_to_float32(v, &env->fp_status),
   (int32_t)scale, &env->fp_status);
diff --git a/target/xtensa/helper.h b/target/xtensa/helper.h
index 8532de0b35f5..a692254fe10a 100644
--- a/target/xtensa/helper.h
+++ b/target/xtensa/helper.h
@@ -46,7 +46,7 @@ DEF_HELPER_3(wsr_dbreaka, void, env, i32, i32)
 DEF_HELPER_3(wsr_dbreakc, void, env, i32, i32)
 #endif
 
-DEF_HELPER_2(wur_fcr, void, env, i32)
+DEF_HELPER_2(wur_fpu2k_fcr, void, env, i32)
 DEF_HELPER_FLAGS_1(abs_s, TCG_CALL_NO_RWG_SE, f32, f32)
 DEF_HELPER_FLAGS_1(neg_s, TCG_CALL_NO_RWG_SE, f32, f32)
 DEF_HELPER_3(add_s, f32, env, f32, f32)
@@ -54,10 +54,10 @@ DEF_HELPER_3(sub_s, f32, env, f32, f32)
 DEF_HELPER_3(mul_s, f32, env, f32, f32)
 DEF_HELPER_4(madd_s, f32, env, f32, f32, f32)
 DEF_HELPER_4(msub_s, f32, env, f32, f32, f32)
-DEF_HELPER_FLAGS_3(ftoi, TCG_CALL_NO_RWG_SE, i32, f32, i32, i32)
-DEF_HELPER_FLAGS_3(ftoui, TCG_CALL_NO_RWG_SE, i32, f32, i32, i32)
-DEF_HELPER_3(itof, f32, env, i32, i32)
-DEF_HELPER_3(uitof, f32, env, i32, i32)
+DEF_HELPER_FLAGS_3(ftoi_s, TCG_CALL_NO_RWG_SE, i32, f32, i32, i32)
+DEF_HELPER_FLAGS_3(ftoui_s, TCG_CALL_NO_RWG_SE, i32, f32, i32, i32)
+DEF_HELPER_3(itof_s, f32, env, i32, i32)
+DEF_HELPER_3(uitof_s, f32, env, i32, i32)
 
 DEF_HELPER_4(un_s, void, env, i32, f32, f32)
 DEF_HELPER_4(oeq_s, void, env, i32, f32, f32)
diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
index bc01a720719d..0deaeef6b5fa 100644
--- a/target/xtensa/translate.c
+++ b/target/xtensa/translate.c
@@ -2813,10 +2813,10 @@ static void translate_wur(DisasContext *dc, const 
OpcodeArg arg[],
 tcg_gen_mov_i32(cpu_UR[par[0]], arg[0].in);
 }
 
-static void translate_wur_fcr(DisasContext *dc, const OpcodeArg arg[],
-  const uint32_t par[])
+static void translate_wur_fpu2k_fcr(DisasContext *dc, const OpcodeArg arg[],
+const uint32_t par[])
 {
-gen_helper_wur_fcr(cpu_env, arg[0].in);
+gen_helper_wur_fpu2k_fcr(cpu_env, arg[0].in);
 }
 
 static void translate_wur_fsr(DisasContext *dc, const OpcodeArg arg[],
@@ -5583,7 +5583,7 @@ static const XtensaOpcodeOps core_ops[] = {
 .par = (const uint32_t[]){EXPSTATE},
 }, {
 .name = "wur.fcr",
-.translate = translate_wur_fcr,
+.translate = translate_wur_fpu2k_fcr,
 .par = (const uint32_t[]){FCR},
 .coprocessor = 0x1,
 }, {
@@ -6373,9 +6373,9 @@ static void translate_float_s(DisasContext *dc, const 
OpcodeArg arg[],
 TCGv_i32 scale = tcg_const_i32(-arg[2].imm);
 
 if (par[0]) {
-gen_helper_uitof(arg[0].out, cpu_env, arg[1].in, scale);
+gen_helper_uitof_s(arg[0].out, cpu_env, arg[1].in, scale);
 } else {
-gen_helper_itof(arg[0].out, cpu_env, arg[1].in, scale);
+

[PATCH 13/21] tests/tcg/xtensa: expand madd tests

[Max Filippov]

Test that madd doesn't do rounding after multiplication.
Test NaN propagation rules for FPU2000 and DFPU madd opcode.

Signed-off-by: Max Filippov 
---
 tests/tcg/xtensa/test_fp0_arith.S | 88 +++
 1 file changed, 88 insertions(+)

diff --git a/tests/tcg/xtensa/test_fp0_arith.S 
b/tests/tcg/xtensa/test_fp0_arith.S
index df870eb7a013..727db187a5cc 100644
--- a/tests/tcg/xtensa/test_fp0_arith.S
+++ b/tests/tcg/xtensa/test_fp0_arith.S
@@ -146,6 +146,94 @@ test madd_s
  FSR_I,  FSR_I,  FSR_I,  FSR_I
 test_end
 
+test madd_s_precision
+test_op3 madd.s, f0, f1, f2, f0, 0xbf82, 0x3f81, 0x3f81, \
+0x2880, 0x2880, 0x2880, 0x2880, \
+ FSR__,  FSR__,  FSR__,  FSR__
+test_end
+
+#if DFPU
+test madd_s_nan_dfpu
+/* DFPU madd/msub NaN1, NaN2, NaN3 priority: NaN1, NaN3, NaN2 */
+test_op3 madd.s, f0, f1, f2, f0, F32_QNAN(1), F32_1, F32_1, \
+F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), \
+  FSR__,   FSR__,   FSR__,   FSR__
+test_op3 madd.s, f0, f1, f2, f0, F32_1, F32_QNAN(2), F32_1, \
+F32_QNAN(2), F32_QNAN(2), F32_QNAN(2), F32_QNAN(2), \
+  FSR__,   FSR__,   FSR__,   FSR__
+test_op3 madd.s, f0, f1, f2, f0, F32_1, F32_1, F32_QNAN(3), \
+F32_QNAN(3), F32_QNAN(3), F32_QNAN(3), F32_QNAN(3), \
+  FSR__,   FSR__,   FSR__,   FSR__
+
+test_op3 madd.s, f0, f1, f2, f0, F32_QNAN(1), F32_QNAN(2), F32_1, \
+F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), \
+  FSR__,   FSR__,   FSR__,   FSR__
+test_op3 madd.s, f0, f1, f2, f0, F32_QNAN(1), F32_1, F32_QNAN(3), \
+F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), \
+  FSR__,   FSR__,   FSR__,   FSR__
+test_op3 madd.s, f0, f1, f2, f0, F32_1, F32_QNAN(2), F32_QNAN(3), \
+F32_QNAN(3), F32_QNAN(3), F32_QNAN(3), F32_QNAN(3), \
+  FSR__,   FSR__,   FSR__,   FSR__
+
+test_op3 madd.s, f0, f1, f2, f0, F32_QNAN(1), F32_QNAN(2), F32_QNAN(3), \
+F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), \
+  FSR__,   FSR__,   FSR__,   FSR__
+
+/* inf * 0 = default NaN */
+test_op3 madd.s, f0, f1, f2, f0, F32_1, F32_PINF, F32_0, \
+F32_DNAN, F32_DNAN, F32_DNAN, F32_DNAN, \
+   FSR_V,FSR_V,FSR_V,FSR_V
+
+/* madd/msub SNaN turns to QNaN and sets Invalid flag */
+test_op3 madd.s, f0, f1, f2, f0, F32_SNAN(1), F32_1, F32_1, \
+F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), \
+  FSR_V,   FSR_V,   FSR_V,   FSR_V
+test_op3 madd.s, f0, f1, f2, f0, F32_QNAN(1), F32_SNAN(2), F32_1, \
+F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), \
+  FSR_V,   FSR_V,   FSR_V,   FSR_V
+test_end
+#else
+test madd_s_nan_fpu2k
+/* FPU2000 madd/msub NaN1, NaN2, NaN3 priority: NaN2, NaN3, NaN1 */
+test_op3 madd.s, f0, f1, f2, f0, F32_QNAN(1), F32_1, F32_1, \
+F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), F32_QNAN(1), \
+  FSR__,   FSR__,   FSR__,   FSR__
+test_op3 madd.s, f0, f1, f2, f0, F32_1, F32_QNAN(2), F32_1, \
+F32_QNAN(2), F32_QNAN(2), F32_QNAN(2), F32_QNAN(2), \
+  FSR__,   FSR__,   FSR__,   FSR__
+test_op3 madd.s, f0, f1, f2, f0, F32_1, F32_1, F32_QNAN(3), \
+F32_QNAN(3), F32_QNAN(3), F32_QNAN(3), F32_QNAN(3), \
+  FSR__,   FSR__,   FSR__,   FSR__
+
+test_op3 madd.s, f0, f1, f2, f0, F32_QNAN(1), F32_QNAN(2), F32_1, \
+F32_QNAN(2), F32_QNAN(2), F32_QNAN(2), F32_QNAN(2), \
+  FSR__,   FSR__,   FSR__,   FSR__
+test_op3 madd.s, f0, f1, f2, f0, F32_QNAN(1), F32_1, F32_QNAN(3), \
+F32_QNAN(3), F32_QNAN(3), F32_QNAN(3), F32_QNAN(3), \
+  FSR__,   FSR__,   FSR__,   FSR__
+test_op3 madd.s, f0, f1, f2, f0, F32_1, F32_QNAN(2), F32_QNAN(3), \
+F32_QNAN(2), F32_QNAN(2), F32_QNAN(2), F32_QNAN(2), \
+  FSR__,   FSR__,   FSR__,   FSR__
+
+test_op3 madd.s, f0, f1, f2, f0, F32_QNAN(1), F32_QNAN(2), F32_QNAN(3), \
+F32_QNAN(2), F32_QNAN(2), F32_QNAN(2), F32_QNAN(2), \
+  FSR__,   FSR__,   FSR__,   FSR__
+
+/* inf * 0 = default NaN */
+test_op3 madd.s, f0, f1, f2, f0, F32_1, F32_PINF, F32_0, \
+F32_DNAN, F32_DNAN, F32_DNAN, F32_DNAN, \
+   FSR__,FSR__,FSR__,FSR__
+
+/* madd/msub SNaN is preserved */
+test_op3 madd.s, f0, f1, f2, f0, F32_SNAN(1), F32_1, F32_1, \
+F32_SNAN(1), F32_SNAN(1), F32_SNAN(1), F32_SNAN(1), \
+  FSR__,   FSR__,   FSR__,   FSR__
+test_op3 madd.s, f0, f1, f2, f0, F32_QNAN(1), F32_SNAN(2), F32_1, \
+F32_SNAN(2), F32_SNAN(2), F32_SNAN(2), F32_SNAN(2), \
+  FSR__,   FSR__,   FSR__,  

[PATCH 12/21] tests/tcg/xtensa: update test_fp0_arith for DFPU

[Max Filippov]

DFPU arithmetic opcodes update FSR flags. Add FSR parameters and
expected FSR register values for the arithmetic tests.

Signed-off-by: Max Filippov 
---
 tests/tcg/xtensa/fpu.h| 142 
 tests/tcg/xtensa/test_fp0_arith.S | 178 ++
 2 files changed, 223 insertions(+), 97 deletions(-)
 create mode 100644 tests/tcg/xtensa/fpu.h

diff --git a/tests/tcg/xtensa/fpu.h b/tests/tcg/xtensa/fpu.h
new file mode 100644
index ..42e321747304
--- /dev/null
+++ b/tests/tcg/xtensa/fpu.h
@@ -0,0 +1,142 @@
+#if XCHAL_HAVE_DFP || XCHAL_HAVE_FP_DIV
+#define DFPU 1
+#else
+#define DFPU 0
+#endif
+
+#define FCR_RM_NEAREST 0
+#define FCR_RM_TRUNC   1
+#define FCR_RM_CEIL2
+#define FCR_RM_FLOOR   3
+
+#define FSR__ 0x
+#define FSR_I 0x0080
+#define FSR_U 0x0100
+#define FSR_O 0x0200
+#define FSR_Z 0x0400
+#define FSR_V 0x0800
+
+#define FSR_UI (FSR_U | FSR_I)
+#define FSR_OI (FSR_O | FSR_I)
+
+#define F32_0   0x
+#define F32_0_5 0x3f00
+#define F32_1   0x3f80
+#define F32_MAX 0x7f7f
+#define F32_PINF0x7f80
+#define F32_NINF0xff80
+
+#define F32_DNAN0x7fc0
+#define F32_SNAN(v) (0x7f80 | (v))
+#define F32_QNAN(v) (0x7fc0 | (v))
+
+#define F32_MINUS   0x8000
+
+#define F64_0   0x
+#define F64_MIN_NORM0x0010
+#define F64_1   0x3ff0
+#define F64_MAX_2   0x7fe0
+#define F64_MAX 0x7fef
+#define F64_PINF0x7ff0
+#define F64_NINF0xfff0
+
+#define F64_DNAN0x7ff8
+#define F64_SNAN(v) (0x7ff0 | (v))
+#define F64_QNAN(v) (0x7ff8 | (v))
+
+#define F64_MINUS   0x8000
+
+.macro test_op1_rm op, fr0, fr1, v0, r, sr
+movia2, 0
+wur a2, fsr
+movfp   \fr0, \v0
+\op \fr1, \fr0
+check_res \fr1, \r, \sr
+.endm
+
+.macro test_op2_rm op, fr0, fr1, fr2, v0, v1, r, sr
+movia2, 0
+wur a2, fsr
+movfp   \fr0, \v0
+movfp   \fr1, \v1
+\op \fr2, \fr0, \fr1
+check_res \fr2, \r, \sr
+.endm
+
+.macro test_op3_rm op, fr0, fr1, fr2, fr3, v0, v1, v2, r, sr
+movia2, 0
+wur a2, fsr
+movfp   \fr0, \v0
+movfp   \fr1, \v1
+movfp   \fr2, \v2
+\op \fr0, \fr1, \fr2
+check_res \fr3, \r, \sr
+.endm
+
+.macro test_op1_ex op, fr0, fr1, v0, rm, r, sr
+movia2, \rm
+wur a2, fcr
+test_op1_rm \op, \fr0, \fr1, \v0, \r, \sr
+movia2, (\rm) | 0x7c
+wur a2, fcr
+test_op1_rm \op, \fr0, \fr1, \v0, \r, \sr
+.endm
+
+.macro test_op2_ex op, fr0, fr1, fr2, v0, v1, rm, r, sr
+movia2, \rm
+wur a2, fcr
+test_op2_rm \op, \fr0, \fr1, \fr2, \v0, \v1, \r, \sr
+movia2, (\rm) | 0x7c
+wur a2, fcr
+test_op2_rm \op, \fr0, \fr1, \fr2, \v0, \v1, \r, \sr
+.endm
+
+.macro test_op3_ex op, fr0, fr1, fr2, fr3, v0, v1, v2, rm, r, sr
+movia2, \rm
+wur a2, fcr
+test_op3_rm \op, \fr0, \fr1, \fr2, \fr3, \v0, \v1, \v2, \r, \sr
+movia2, (\rm) | 0x7c
+wur a2, fcr
+test_op3_rm \op, \fr0, \fr1, \fr2, \fr3, \v0, \v1, \v2, \r, \sr
+.endm
+
+.macro test_op1 op, fr0, fr1, v0, r0, r1, r2, r3, sr0, sr1, sr2, sr3
+test_op1_ex \op, \fr0, \fr1, \v0, 0, \r0, \sr0
+test_op1_ex \op, \fr0, \fr1, \v0, 1, \r1, \sr1
+test_op1_ex \op, \fr0, \fr1, \v0, 2, \r2, \sr2
+test_op1_ex \op, \fr0, \fr1, \v0, 3, \r3, \sr3
+.endm
+
+.macro test_op2 op, fr0, fr1, fr2, v0, v1, r0, r1, r2, r3, sr0, sr1, sr2, sr3
+test_op2_ex \op, \fr0, \fr1, \fr2, \v0, \v1, 0, \r0, \sr0
+test_op2_ex \op, \fr0, \fr1, \fr2, \v0, \v1, 1, \r1, \sr1
+test_op2_ex \op, \fr0, \fr1, \fr2, \v0, \v1, 2, \r2, \sr2
+test_op2_ex \op, \fr0, \fr1, \fr2, \v0, \v1, 3, \r3, \sr3
+.endm
+
+.macro test_op3 op, fr0, fr1, fr2, fr3, v0, v1, v2, r0, r1, r2, r3, sr0, sr1, 
sr2, sr3
+test_op3_ex \op, \fr0, \fr1, \fr2, \fr3, \v0, \v1, \v2, 0, \r0, \sr0
+test_op3_ex \op, \fr0, \fr1, \fr2, \fr3, \v0, \v1, \v2, 1, \r1, \sr1
+test_op3_ex \op, \fr0, \fr1, \fr2, \fr3, \v0, \v1, \v2, 2, \r2, \sr2
+test_op3_ex \op, \fr0, \fr1, \fr2, \fr3, \v0, \v1, \v2, 3, \r3, \sr3
+.endm
+
+.macro test_op2_cpe op
+set_vector  kernel, 2f
+movia2, 0
+wsr a2, cpenable
+1:
+\op f2, f0, f1
+test_fail
+2:
+rsr a2, excvaddr
+movia3, 1b
+assert  eq, a2, a3
+rsr a2, exccause
+movia3, 32
+assert  eq, a2, a3
+
+set_vector  kernel, 0
+movia2, 1
+wsr a2, cpenable
+.endm
diff --git a/tests/tcg/xtensa/test_fp0_arith.S 
b/tests/tcg/xtensa/test_fp0_arith.S
index 253d033a3398..df870eb7a013 100644
--- a/tests/tcg/xtensa/test_fp0_arith.S
+++ b/tests/tcg/xtensa/test_fp0_arith.S
@@ -1,4 +1,5 @@
 #include "macros.inc"
+#include "fpu.h"
 
 test_suite fp0_arith
 
@@ -9,84 +10,

[PATCH 10/21] target/xtensa: implement FPU division and square root

[Max Filippov]

This does not implement all opcodes related to div/sqrt as specified in
the xtensa ISA, partly because the official specification is not
complete and partly because precise implementation is unnecessarily
complex. Instead instructions specific to the div/sqrt sequences are
implemented differently, most of them as nops, but the results of
div/sqrt sequences is preserved.

Signed-off-by: Max Filippov 
---
 target/xtensa/fpu_helper.c |  24 +
 target/xtensa/helper.h |   4 ++
 target/xtensa/translate.c  | 104 +
 3 files changed, 132 insertions(+)

diff --git a/target/xtensa/fpu_helper.c b/target/xtensa/fpu_helper.c
index 514b888b3d9a..f03a6b000460 100644
--- a/target/xtensa/fpu_helper.c
+++ b/target/xtensa/fpu_helper.c
@@ -203,6 +203,30 @@ float32 HELPER(msub_s)(CPUXtensaState *env, float32 a, 
float32 b, float32 c)
   &env->fp_status);
 }
 
+float64 HELPER(mkdadj_d)(CPUXtensaState *env, float64 a, float64 b)
+{
+set_use_first_nan(true, &env->fp_status);
+return float64_div(b, a, &env->fp_status);
+}
+
+float32 HELPER(mkdadj_s)(CPUXtensaState *env, float32 a, float32 b)
+{
+set_use_first_nan(env->config->use_first_nan, &env->fp_status);
+return float32_div(b, a, &env->fp_status);
+}
+
+float64 HELPER(mksadj_d)(CPUXtensaState *env, float64 v)
+{
+set_use_first_nan(true, &env->fp_status);
+return float64_sqrt(v, &env->fp_status);
+}
+
+float32 HELPER(mksadj_s)(CPUXtensaState *env, float32 v)
+{
+set_use_first_nan(env->config->use_first_nan, &env->fp_status);
+return float32_sqrt(v, &env->fp_status);
+}
+
 uint32_t HELPER(ftoi_d)(CPUXtensaState *env, float64 v,
 uint32_t rounding_mode, uint32_t scale)
 {
diff --git a/target/xtensa/helper.h b/target/xtensa/helper.h
index a328af47cd31..d38432bab2a0 100644
--- a/target/xtensa/helper.h
+++ b/target/xtensa/helper.h
@@ -54,6 +54,8 @@ DEF_HELPER_3(sub_s, f32, env, f32, f32)
 DEF_HELPER_3(mul_s, f32, env, f32, f32)
 DEF_HELPER_4(madd_s, f32, env, f32, f32, f32)
 DEF_HELPER_4(msub_s, f32, env, f32, f32, f32)
+DEF_HELPER_3(mkdadj_s, f32, env, f32, f32)
+DEF_HELPER_2(mksadj_s, f32, env, f32)
 DEF_HELPER_4(ftoi_s, i32, env, f32, i32, i32)
 DEF_HELPER_4(ftoui_s, i32, env, f32, i32, i32)
 DEF_HELPER_3(itof_s, f32, env, i32, i32)
@@ -78,6 +80,8 @@ DEF_HELPER_3(sub_d, f64, env, f64, f64)
 DEF_HELPER_3(mul_d, f64, env, f64, f64)
 DEF_HELPER_4(madd_d, f64, env, f64, f64, f64)
 DEF_HELPER_4(msub_d, f64, env, f64, f64, f64)
+DEF_HELPER_3(mkdadj_d, f64, env, f64, f64)
+DEF_HELPER_2(mksadj_d, f64, env, f64)
 DEF_HELPER_4(ftoi_d, i32, env, f64, i32, i32)
 DEF_HELPER_4(ftoui_d, i32, env, f64, i32, i32)
 DEF_HELPER_3(itof_d, f64, env, i32, i32)
diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
index ab83e259917a..ea8bac29831f 100644
--- a/target/xtensa/translate.c
+++ b/target/xtensa/translate.c
@@ -7254,6 +7254,38 @@ static void translate_ldstx_s(DisasContext *dc, const 
OpcodeArg arg[],
 }
 }
 
+static void translate_mkdadj_d(DisasContext *dc, const OpcodeArg arg[],
+   const uint32_t par[])
+{
+gen_helper_mkdadj_d(arg[0].out, cpu_env, arg[0].in, arg[1].in);
+}
+
+static void translate_mkdadj_s(DisasContext *dc, const OpcodeArg arg[],
+   const uint32_t par[])
+{
+OpcodeArg arg32[2];
+
+get_f32_o1_i2(arg, arg32, 0, 0, 1);
+gen_helper_mkdadj_s(arg32[0].out, cpu_env, arg32[0].in, arg32[1].in);
+put_f32_o1_i2(arg, arg32, 0, 0, 1);
+}
+
+static void translate_mksadj_d(DisasContext *dc, const OpcodeArg arg[],
+   const uint32_t par[])
+{
+gen_helper_mksadj_d(arg[0].out, cpu_env, arg[1].in);
+}
+
+static void translate_mksadj_s(DisasContext *dc, const OpcodeArg arg[],
+   const uint32_t par[])
+{
+OpcodeArg arg32[2];
+
+get_f32_o1_i1(arg, arg32, 0, 1);
+gen_helper_mksadj_s(arg32[0].out, cpu_env, arg32[1].in);
+put_f32_o1_i1(arg, arg32, 0, 1);
+}
+
 static void translate_wur_fpu_fcr(DisasContext *dc, const OpcodeArg arg[],
   const uint32_t par[])
 {
@@ -7289,6 +7321,22 @@ static const XtensaOpcodeOps fpu_ops[] = {
 .name = "add.s",
 .translate = translate_add_s,
 .coprocessor = 0x1,
+}, {
+.name = "addexp.d",
+.translate = translate_nop,
+.coprocessor = 0x1,
+}, {
+.name = "addexp.s",
+.translate = translate_nop,
+.coprocessor = 0x1,
+}, {
+.name = "addexpm.d",
+.translate = translate_mov_s,
+.coprocessor = 0x1,
+}, {
+.name = "addexpm.s",
+.translate = translate_mov_s,
+.coprocessor = 0x1,
 }, {
 .name = "ceil.d",
 .translate = translate_ftoi_d,
@@ -7315,6 +7363,22 @@ static const XtensaOpcodeOps fpu_ops[] = {
 .name = "cvts.d",
 .translate = translate_cvts_d,
 .coprocessor = 0x1,
+},

[PATCH 05/21] target/xtensa: support copying registers up to 64 bits wide

[Max Filippov]

FLIX dependency breaking code assumes that all registers are 32 bit
wide. This may not always be correct.
Extract actual register width from the associated register file and use
it to create temporaries of correct width and generate correct data
movement instructions.

Signed-off-by: Max Filippov 
---
 target/xtensa/cpu.h   |  1 +
 target/xtensa/translate.c | 26 +-
 2 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/target/xtensa/cpu.h b/target/xtensa/cpu.h
index 0409aa6189cf..960f6573447f 100644
--- a/target/xtensa/cpu.h
+++ b/target/xtensa/cpu.h
@@ -359,6 +359,7 @@ typedef struct opcode_arg {
 uint32_t raw_imm;
 void *in;
 void *out;
+uint32_t num_bits;
 } OpcodeArg;
 
 typedef struct DisasContext DisasContext;
diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
index 9838bf6b3ec5..bc01a720719d 100644
--- a/target/xtensa/translate.c
+++ b/target/xtensa/translate.c
@@ -943,10 +943,10 @@ static void disas_xtensa_insn(CPUXtensaState *env, 
DisasContext *dc)
 
 for (opnd = vopnd = 0; opnd < opnds; ++opnd) {
 void **register_file = NULL;
+xtensa_regfile rf;
 
 if (xtensa_operand_is_register(isa, opc, opnd)) {
-xtensa_regfile rf = xtensa_operand_regfile(isa, opc, opnd);
-
+rf = xtensa_operand_regfile(isa, opc, opnd);
 register_file = dc->config->regfile[rf];
 
 if (rf == dc->config->a_regfile) {
@@ -972,6 +972,9 @@ static void disas_xtensa_insn(CPUXtensaState *env, 
DisasContext *dc)
 if (register_file) {
 arg[vopnd].in = register_file[v];
 arg[vopnd].out = register_file[v];
+arg[vopnd].num_bits = xtensa_regfile_num_bits(isa, rf);
+} else {
+arg[vopnd].num_bits = 32;
 }
 ++vopnd;
 }
@@ -,8 +1114,15 @@ static void disas_xtensa_insn(CPUXtensaState *env, 
DisasContext *dc)
 for (i = j = 0; i < n_arg_copy; ++i) {
 if (i == 0 || arg_copy[i].resource != resource) {
 resource = arg_copy[i].resource;
-temp = tcg_temp_local_new();
-tcg_gen_mov_i32(temp, arg_copy[i].arg->in);
+if (arg_copy[i].arg->num_bits <= 32) {
+temp = tcg_temp_local_new_i32();
+tcg_gen_mov_i32(temp, arg_copy[i].arg->in);
+} else if (arg_copy[i].arg->num_bits <= 64) {
+temp = tcg_temp_local_new_i64();
+tcg_gen_mov_i64(temp, arg_copy[i].arg->in);
+} else {
+g_assert_not_reached();
+}
 arg_copy[i].temp = temp;
 
 if (i != j) {
@@ -1143,7 +1153,13 @@ static void disas_xtensa_insn(CPUXtensaState *env, 
DisasContext *dc)
 }
 
 for (i = 0; i < n_arg_copy; ++i) {
-tcg_temp_free(arg_copy[i].temp);
+if (arg_copy[i].arg->num_bits <= 32) {
+tcg_temp_free_i32(arg_copy[i].temp);
+} else if (arg_copy[i].arg->num_bits <= 64) {
+tcg_temp_free_i64(arg_copy[i].temp);
+} else {
+g_assert_not_reached();
+}
 }
 
 if (dc->base.is_jmp == DISAS_NEXT) {
-- 
2.20.1

[PATCH 09/21] target/xtensa: add DFP option, registers and opcodes

[Max Filippov]

DFPU may be configured with 32-bit or with 64-bit registers. Xtensa ISA
does not specify how single-precision values are stored in 64-bit
registers. Existing implementations store them in the low half of the
registers.
Add value extraction and write back to single-precision opcodes.
Add new double precision opcodes. Add 64-bit register file.
Add 64-bit values dumping to the xtensa_cpu_dump_state.

Signed-off-by: Max Filippov 
---
 target/xtensa/cpu.c  |4 +
 target/xtensa/cpu.h  |4 +
 target/xtensa/fpu_helper.c   |  252 +++-
 target/xtensa/helper.h   |   29 +-
 target/xtensa/overlay_tool.h |6 +
 target/xtensa/translate.c| 1088 --
 6 files changed, 1338 insertions(+), 45 deletions(-)

diff --git a/target/xtensa/cpu.c b/target/xtensa/cpu.c
index 82c2ee0679f8..5abf3b6f994b 100644
--- a/target/xtensa/cpu.c
+++ b/target/xtensa/cpu.c
@@ -31,6 +31,7 @@
 #include "qemu/osdep.h"
 #include "qapi/error.h"
 #include "cpu.h"
+#include "fpu/softfloat.h"
 #include "qemu/module.h"
 #include "migration/vmstate.h"
 
@@ -104,6 +105,9 @@ static void xtensa_cpu_reset(DeviceState *dev)
 reset_mmu(env);
 s->halted = env->runstall;
 #endif
+if (!xtensa_option_enabled(env->config, XTENSA_OPTION_DFP_COPROCESSOR)) {
+set_no_signaling_nans(true, &env->fp_status);
+}
 }
 
 static ObjectClass *xtensa_cpu_class_by_name(const char *cpu_model)
diff --git a/target/xtensa/cpu.h b/target/xtensa/cpu.h
index 960f6573447f..76f596922ae6 100644
--- a/target/xtensa/cpu.h
+++ b/target/xtensa/cpu.h
@@ -52,6 +52,7 @@ enum {
 XTENSA_OPTION_COPROCESSOR,
 XTENSA_OPTION_BOOLEAN,
 XTENSA_OPTION_FP_COPROCESSOR,
+XTENSA_OPTION_DFP_COPROCESSOR,
 XTENSA_OPTION_MP_SYNCHRO,
 XTENSA_OPTION_CONDITIONAL_STORE,
 XTENSA_OPTION_ATOMCTL,
@@ -420,6 +421,7 @@ typedef struct XtensaOpcodeTranslators {
 
 extern const XtensaOpcodeTranslators xtensa_core_opcodes;
 extern const XtensaOpcodeTranslators xtensa_fpu2000_opcodes;
+extern const XtensaOpcodeTranslators xtensa_fpu_opcodes;
 
 struct XtensaConfig {
 const char *name;
@@ -482,6 +484,8 @@ struct XtensaConfig {
 unsigned n_mpu_fg_segments;
 unsigned n_mpu_bg_segments;
 const xtensa_mpu_entry *mpu_bg;
+
+bool use_first_nan;
 };
 
 typedef struct XtensaConfigList {
diff --git a/target/xtensa/fpu_helper.c b/target/xtensa/fpu_helper.c
index fae6836d3223..514b888b3d9a 100644
--- a/target/xtensa/fpu_helper.c
+++ b/target/xtensa/fpu_helper.c
@@ -33,6 +33,30 @@
 #include "exec/exec-all.h"
 #include "fpu/softfloat.h"
 
+enum {
+XTENSA_FP_I = 0x1,
+XTENSA_FP_U = 0x2,
+XTENSA_FP_O = 0x4,
+XTENSA_FP_Z = 0x8,
+XTENSA_FP_V = 0x10,
+};
+
+enum {
+XTENSA_FCR_FLAGS_SHIFT = 2,
+XTENSA_FSR_FLAGS_SHIFT = 7,
+};
+
+static const struct {
+uint32_t xtensa_fp_flag;
+int softfloat_fp_flag;
+} xtensa_fp_flag_map[] = {
+{ XTENSA_FP_I, float_flag_inexact, },
+{ XTENSA_FP_U, float_flag_underflow, },
+{ XTENSA_FP_O, float_flag_overflow, },
+{ XTENSA_FP_Z, float_flag_divbyzero, },
+{ XTENSA_FP_V, float_flag_invalid, },
+};
+
 void HELPER(wur_fpu2k_fcr)(CPUXtensaState *env, uint32_t v)
 {
 static const int rounding_mode[] = {
@@ -46,64 +70,215 @@ void HELPER(wur_fpu2k_fcr)(CPUXtensaState *env, uint32_t v)
 set_float_rounding_mode(rounding_mode[v & 3], &env->fp_status);
 }
 
+void HELPER(wur_fpu_fcr)(CPUXtensaState *env, uint32_t v)
+{
+static const int rounding_mode[] = {
+float_round_nearest_even,
+float_round_to_zero,
+float_round_up,
+float_round_down,
+};
+
+if (v & 0xf000) {
+qemu_log_mask(LOG_GUEST_ERROR,
+  "MBZ field of FCR is written non-zero: %08x\n", v);
+}
+env->uregs[FCR] = v & 0x007f;
+set_float_rounding_mode(rounding_mode[v & 3], &env->fp_status);
+}
+
+void HELPER(wur_fpu_fsr)(CPUXtensaState *env, uint32_t v)
+{
+uint32_t flags = v >> XTENSA_FSR_FLAGS_SHIFT;
+int fef = 0;
+unsigned i;
+
+if (v & 0xf000) {
+qemu_log_mask(LOG_GUEST_ERROR,
+  "MBZ field of FSR is written non-zero: %08x\n", v);
+}
+env->uregs[FSR] = v & 0x0f80;
+for (i = 0; i < ARRAY_SIZE(xtensa_fp_flag_map); ++i) {
+if (flags & xtensa_fp_flag_map[i].xtensa_fp_flag) {
+fef |= xtensa_fp_flag_map[i].softfloat_fp_flag;
+}
+}
+set_float_exception_flags(fef, &env->fp_status);
+}
+
+uint32_t HELPER(rur_fpu_fsr)(CPUXtensaState *env)
+{
+uint32_t flags = 0;
+int fef = get_float_exception_flags(&env->fp_status);
+unsigned i;
+
+for (i = 0; i < ARRAY_SIZE(xtensa_fp_flag_map); ++i) {
+if (fef & xtensa_fp_flag_map[i].softfloat_fp_flag) {
+flags |= xtensa_fp_flag_map[i].xtensa_fp_flag;
+}
+}
+env->uregs[FSR] = flags << XTENSA_FSR_FLAGS_SHIFT;
+return flags << XTENSA_FSR_FLAGS_SHIFT;
+}
+
+float64 HELPER(abs_d)(float64 v)
+{
+return flo

[PATCH 01/21] softfloat: make NO_SIGNALING_NANS runtime property

[Max Filippov]

target/xtensa, the only user of NO_SIGNALING_NANS macro has FPU
implementations with and without the corresponding property. With
NO_SIGNALING_NANS being a macro they cannot be a part of the same QEMU
executable.
Replace macro with new property in float_status to allow cores with
different FPU implementations coexist.

Cc: Peter Maydell 
Cc: "Alex Bennée" 
Signed-off-by: Max Filippov 
---
 fpu/softfloat-specialize.inc.c  | 228 
 include/fpu/softfloat-helpers.h |   5 +
 include/fpu/softfloat-types.h   |   1 +
 3 files changed, 117 insertions(+), 117 deletions(-)

diff --git a/fpu/softfloat-specialize.inc.c b/fpu/softfloat-specialize.inc.c
index 44f5b661f831..b26bc039b0b6 100644
--- a/fpu/softfloat-specialize.inc.c
+++ b/fpu/softfloat-specialize.inc.c
@@ -79,13 +79,6 @@ this code that are retained.
  * version 2 or later. See the COPYING file in the top-level directory.
  */
 
-/* Define for architectures which deviate from IEEE in not supporting
- * signaling NaNs (so all NaNs are treated as quiet).
- */
-#if defined(TARGET_XTENSA)
-#define NO_SIGNALING_NANS 1
-#endif
-
 /* Define how the architecture discriminates signaling NaNs.
  * This done with the most significant bit of the fraction.
  * In IEEE 754-1985 this was implementation defined, but in IEEE 754-2008
@@ -111,12 +104,12 @@ static inline bool snan_bit_is_one(float_status *status)
 
 static bool parts_is_snan_frac(uint64_t frac, float_status *status)
 {
-#ifdef NO_SIGNALING_NANS
-return false;
-#else
-bool msb = extract64(frac, DECOMPOSED_BINARY_POINT - 1, 1);
-return msb == snan_bit_is_one(status);
-#endif
+if (status->no_signaling_nans) {
+return false;
+} else {
+bool msb = extract64(frac, DECOMPOSED_BINARY_POINT - 1, 1);
+return msb == snan_bit_is_one(status);
+}
 }
 
 /*
@@ -170,9 +163,10 @@ static FloatParts parts_default_nan(float_status *status)
 
 static FloatParts parts_silence_nan(FloatParts a, float_status *status)
 {
-#ifdef NO_SIGNALING_NANS
-g_assert_not_reached();
-#elif defined(TARGET_HPPA)
+if (status->no_signaling_nans) {
+g_assert_not_reached();
+}
+#if defined(TARGET_HPPA)
 a.frac &= ~(1ULL << (DECOMPOSED_BINARY_POINT - 1));
 a.frac |= 1ULL << (DECOMPOSED_BINARY_POINT - 2);
 #else
@@ -247,16 +241,16 @@ typedef struct {
 
 bool float16_is_quiet_nan(float16 a_, float_status *status)
 {
-#ifdef NO_SIGNALING_NANS
-return float16_is_any_nan(a_);
-#else
-uint16_t a = float16_val(a_);
-if (snan_bit_is_one(status)) {
-return (((a >> 9) & 0x3F) == 0x3E) && (a & 0x1FF);
+if (status->no_signaling_nans) {
+return float16_is_any_nan(a_);
 } else {
-return ((a & ~0x8000) >= 0x7C80);
+uint16_t a = float16_val(a_);
+if (snan_bit_is_one(status)) {
+return (((a >> 9) & 0x3F) == 0x3E) && (a & 0x1FF);
+} else {
+return ((a & ~0x8000) >= 0x7C80);
+}
 }
-#endif
 }
 
 /*
@@ -266,16 +260,16 @@ bool float16_is_quiet_nan(float16 a_, float_status 
*status)
 
 bool float16_is_signaling_nan(float16 a_, float_status *status)
 {
-#ifdef NO_SIGNALING_NANS
-return 0;
-#else
-uint16_t a = float16_val(a_);
-if (snan_bit_is_one(status)) {
-return ((a & ~0x8000) >= 0x7C80);
+if (status->no_signaling_nans) {
+return 0;
 } else {
-return (((a >> 9) & 0x3F) == 0x3E) && (a & 0x1FF);
+uint16_t a = float16_val(a_);
+if (snan_bit_is_one(status)) {
+return ((a & ~0x8000) >= 0x7C80);
+} else {
+return (((a >> 9) & 0x3F) == 0x3E) && (a & 0x1FF);
+}
 }
-#endif
 }
 
 /*
@@ -285,16 +279,16 @@ bool float16_is_signaling_nan(float16 a_, float_status 
*status)
 
 bool float32_is_quiet_nan(float32 a_, float_status *status)
 {
-#ifdef NO_SIGNALING_NANS
-return float32_is_any_nan(a_);
-#else
-uint32_t a = float32_val(a_);
-if (snan_bit_is_one(status)) {
-return (((a >> 22) & 0x1FF) == 0x1FE) && (a & 0x003F);
+if (status->no_signaling_nans) {
+return float32_is_any_nan(a_);
 } else {
-return ((uint32_t)(a << 1) >= 0xFF80);
+uint32_t a = float32_val(a_);
+if (snan_bit_is_one(status)) {
+return (((a >> 22) & 0x1FF) == 0x1FE) && (a & 0x003F);
+} else {
+return ((uint32_t)(a << 1) >= 0xFF80);
+}
 }
-#endif
 }
 
 /*
@@ -304,16 +298,16 @@ bool float32_is_quiet_nan(float32 a_, float_status 
*status)
 
 bool float32_is_signaling_nan(float32 a_, float_status *status)
 {
-#ifdef NO_SIGNALING_NANS
-return 0;
-#else
-uint32_t a = float32_val(a_);
-if (snan_

[PATCH 07/21] target/xtensa: move FSR/FCR register accessors

[Max Filippov]

Move FSR/FCR register accessors from core opcodes to FPU2000 opcodes as
they are FPU2000-specific.

Signed-off-by: Max Filippov 
---
 target/xtensa/translate.c | 64 +++
 1 file changed, 32 insertions(+), 32 deletions(-)

diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
index 0deaeef6b5fa..f859cd3f0818 100644
--- a/target/xtensa/translate.c
+++ b/target/xtensa/translate.c
@@ -2813,18 +2813,6 @@ static void translate_wur(DisasContext *dc, const 
OpcodeArg arg[],
 tcg_gen_mov_i32(cpu_UR[par[0]], arg[0].in);
 }
 
-static void translate_wur_fpu2k_fcr(DisasContext *dc, const OpcodeArg arg[],
-const uint32_t par[])
-{
-gen_helper_wur_fpu2k_fcr(cpu_env, arg[0].in);
-}
-
-static void translate_wur_fsr(DisasContext *dc, const OpcodeArg arg[],
-  const uint32_t par[])
-{
-tcg_gen_andi_i32(cpu_UR[par[0]], arg[0].in, 0xff80);
-}
-
 static void translate_xor(DisasContext *dc, const OpcodeArg arg[],
   const uint32_t par[])
 {
@@ -4665,16 +4653,6 @@ static const XtensaOpcodeOps core_ops[] = {
 .name = "rur.expstate",
 .translate = translate_rur,
 .par = (const uint32_t[]){EXPSTATE},
-}, {
-.name = "rur.fcr",
-.translate = translate_rur,
-.par = (const uint32_t[]){FCR},
-.coprocessor = 0x1,
-}, {
-.name = "rur.fsr",
-.translate = translate_rur,
-.par = (const uint32_t[]){FSR},
-.coprocessor = 0x1,
 }, {
 .name = "rur.threadptr",
 .translate = translate_rur,
@@ -5581,16 +5559,6 @@ static const XtensaOpcodeOps core_ops[] = {
 .name = "wur.expstate",
 .translate = translate_wur,
 .par = (const uint32_t[]){EXPSTATE},
-}, {
-.name = "wur.fcr",
-.translate = translate_wur_fpu2k_fcr,
-.par = (const uint32_t[]){FCR},
-.coprocessor = 0x1,
-}, {
-.name = "wur.fsr",
-.translate = translate_wur_fsr,
-.par = (const uint32_t[]){FSR},
-.coprocessor = 0x1,
 }, {
 .name = "wur.threadptr",
 .translate = translate_wur,
@@ -6510,6 +6478,18 @@ static void translate_wfr_s(DisasContext *dc, const 
OpcodeArg arg[],
 tcg_gen_mov_i32(arg[0].out, arg[1].in);
 }
 
+static void translate_wur_fpu2k_fcr(DisasContext *dc, const OpcodeArg arg[],
+const uint32_t par[])
+{
+gen_helper_wur_fpu2k_fcr(cpu_env, arg[0].in);
+}
+
+static void translate_wur_fpu2k_fsr(DisasContext *dc, const OpcodeArg arg[],
+const uint32_t par[])
+{
+tcg_gen_andi_i32(cpu_UR[par[0]], arg[0].in, 0xff80);
+}
+
 static const XtensaOpcodeOps fpu2000_ops[] = {
 {
 .name = "abs.s",
@@ -6632,6 +6612,16 @@ static const XtensaOpcodeOps fpu2000_ops[] = {
 .translate = translate_ftoi_s,
 .par = (const uint32_t[]){float_round_nearest_even, false},
 .coprocessor = 0x1,
+}, {
+.name = "rur.fcr",
+.translate = translate_rur,
+.par = (const uint32_t[]){FCR},
+.coprocessor = 0x1,
+}, {
+.name = "rur.fsr",
+.translate = translate_rur,
+.par = (const uint32_t[]){FSR},
+.coprocessor = 0x1,
 }, {
 .name = "ssi",
 .translate = translate_ldsti,
@@ -6699,6 +6689,16 @@ static const XtensaOpcodeOps fpu2000_ops[] = {
 .name = "wfr",
 .translate = translate_wfr_s,
 .coprocessor = 0x1,
+}, {
+.name = "wur.fcr",
+.translate = translate_wur_fpu2k_fcr,
+.par = (const uint32_t[]){FCR},
+.coprocessor = 0x1,
+}, {
+.name = "wur.fsr",
+.translate = translate_wur_fpu2k_fsr,
+.par = (const uint32_t[]){FSR},
+.coprocessor = 0x1,
 },
 };
 
-- 
2.20.1

[PATCH 04/21] target/xtensa: add geometry to xtensa_get_regfile_by_name

[Max Filippov]

Register file name may not uniquely identify a register file in the set
of configurations. E.g. floating point registers may have different size
in different configurations. Use register file geometry as additional
identifier.

Signed-off-by: Max Filippov 
---
 target/xtensa/cpu.h   |  2 +-
 target/xtensa/helper.c|  4 +++-
 target/xtensa/translate.c | 35 +++
 3 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/target/xtensa/cpu.h b/target/xtensa/cpu.h
index 0c96181212a5..0409aa6189cf 100644
--- a/target/xtensa/cpu.h
+++ b/target/xtensa/cpu.h
@@ -598,7 +598,7 @@ void xtensa_cpu_do_unaligned_access(CPUState *cpu, vaddr 
addr,
 
 void xtensa_collect_sr_names(const XtensaConfig *config);
 void xtensa_translate_init(void);
-void **xtensa_get_regfile_by_name(const char *name);
+void **xtensa_get_regfile_by_name(const char *name, int entries, int bits);
 void xtensa_breakpoint_handler(CPUState *cs);
 void xtensa_register_core(XtensaConfigList *node);
 void xtensa_sim_open_console(Chardev *chr);
diff --git a/target/xtensa/helper.c b/target/xtensa/helper.c
index 7073381f03b2..05e2b7f70a1e 100644
--- a/target/xtensa/helper.c
+++ b/target/xtensa/helper.c
@@ -133,8 +133,10 @@ static void init_libisa(XtensaConfig *config)
 config->regfile = g_new(void **, regfiles);
 for (i = 0; i < regfiles; ++i) {
 const char *name = xtensa_regfile_name(config->isa, i);
+int entries = xtensa_regfile_num_entries(config->isa, i);
+int bits = xtensa_regfile_num_bits(config->isa, i);
 
-config->regfile[i] = xtensa_get_regfile_by_name(name);
+config->regfile[i] = xtensa_get_regfile_by_name(name, entries, bits);
 #ifdef DEBUG
 if (config->regfile[i] == NULL) {
 fprintf(stderr, "regfile '%s' not found for %s\n",
diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
index 03d796d7a1ed..9838bf6b3ec5 100644
--- a/target/xtensa/translate.c
+++ b/target/xtensa/translate.c
@@ -227,24 +227,43 @@ void xtensa_translate_init(void)
"exclusive_val");
 }
 
-void **xtensa_get_regfile_by_name(const char *name)
+void **xtensa_get_regfile_by_name(const char *name, int entries, int bits)
 {
+char *geometry_name;
+void **res;
+
 if (xtensa_regfile_table == NULL) {
 xtensa_regfile_table = g_hash_table_new(g_str_hash, g_str_equal);
+/*
+ * AR is special. Xtensa translator uses it as a current register
+ * window, but configuration overlays represent it as a complete
+ * physical register file.
+ */
 g_hash_table_insert(xtensa_regfile_table,
-(void *)"AR", (void *)cpu_R);
+(void *)"AR 16x32", (void *)cpu_R);
 g_hash_table_insert(xtensa_regfile_table,
-(void *)"MR", (void *)cpu_MR);
+(void *)"AR 32x32", (void *)cpu_R);
 g_hash_table_insert(xtensa_regfile_table,
-(void *)"FR", (void *)cpu_FR);
+(void *)"AR 64x32", (void *)cpu_R);
+
 g_hash_table_insert(xtensa_regfile_table,
-(void *)"BR", (void *)cpu_BR);
+(void *)"MR 4x32", (void *)cpu_MR);
+
 g_hash_table_insert(xtensa_regfile_table,
-(void *)"BR4", (void *)cpu_BR4);
+(void *)"FR 16x32", (void *)cpu_FR);
+
 g_hash_table_insert(xtensa_regfile_table,
-(void *)"BR8", (void *)cpu_BR8);
+(void *)"BR 16x1", (void *)cpu_BR);
+g_hash_table_insert(xtensa_regfile_table,
+(void *)"BR4 4x4", (void *)cpu_BR4);
+g_hash_table_insert(xtensa_regfile_table,
+(void *)"BR8 2x8", (void *)cpu_BR8);
 }
-return (void **)g_hash_table_lookup(xtensa_regfile_table, (void *)name);
+
+geometry_name = g_strdup_printf("%s %dx%d", name, entries, bits);
+res = (void **)g_hash_table_lookup(xtensa_regfile_table, geometry_name);
+g_free(geometry_name);
+return res;
 }
 
 static inline bool option_enabled(DisasContext *dc, int opt)
-- 
2.20.1

[PATCH 00/21] target/xtensa: implement double precision FPU

[Max Filippov]

Hello,

this series implements double precision floating point unit option for
target/xtensa, updates FPU tests and adds two new CPU cores, one with
FPU2000 option and one with DFPU option.

Max Filippov (21):
  softfloat: make NO_SIGNALING_NANS runtime property
  softfloat: pass float_status pointer to pickNaN
  softfloat: add xtensa specialization for pickNaNMulAdd
  target/xtensa: add geometry to xtensa_get_regfile_by_name
  target/xtensa: support copying registers up to 64 bits wide
  target/xtensa: rename FPU2000 translators and helpers
  target/xtensa: move FSR/FCR register accessors
  target/xtensa: don't access BR regfile directly
  target/xtensa: add DFP option, registers and opcodes
  target/xtensa: implement FPU division and square root
  tests/tcg/xtensa: fix test execution on ISS
  tests/tcg/xtensa: update test_fp0_arith for DFPU
  tests/tcg/xtensa: expand madd tests
  tests/tcg/xtensa: update test_fp0_conv for DFPU
  tests/tcg/xtensa: update test_fp1 for DFPU
  tests/tcg/xtensa: update test_lsc for DFPU
  tests/tcg/xtensa: add fp0 div and sqrt tests
  tests/tcg/xtensa: test double precision load/store
  tests/tcg/xtensa: add DFP0 arith tests
  target/xtensa: import DE_233L_FPU core
  target/xtensa: import DSP3400 core

 fpu/softfloat-specialize.inc.c|276 +-
 fpu/softfloat.c   |  2 +-
 include/fpu/softfloat-helpers.h   | 10 +
 include/fpu/softfloat-types.h |  2 +
 target/xtensa/Makefile.objs   |  2 +
 target/xtensa/core-DE_233L_FPU.c  | 31 +
 target/xtensa/core-DE_233L_FPU/core-isa.h |727 +
 target/xtensa/core-DE_233L_FPU/core-matmap.h  |717 +
 .../xtensa/core-DE_233L_FPU/gdb-config.inc.c  |277 +
 .../core-DE_233L_FPU/xtensa-modules.inc.c |  20758 ++
 target/xtensa/core-dsp3400.c  | 31 +
 target/xtensa/core-dsp3400/core-isa.h |452 +
 target/xtensa/core-dsp3400/core-matmap.h  |312 +
 target/xtensa/core-dsp3400/gdb-config.inc.c   |400 +
 .../xtensa/core-dsp3400/xtensa-modules.inc.c  | 171906 +++
 target/xtensa/cpu.c   |  4 +
 target/xtensa/cpu.h   |  7 +-
 target/xtensa/fpu_helper.c|314 +-
 target/xtensa/helper.c|  4 +-
 target/xtensa/helper.h| 53 +-
 target/xtensa/overlay_tool.h  |  6 +
 target/xtensa/translate.c |   1345 +-
 tests/tcg/xtensa/fpu.h|142 +
 tests/tcg/xtensa/macros.inc   | 10 +-
 tests/tcg/xtensa/test_dfp0_arith.S|153 +
 tests/tcg/xtensa/test_fp0_arith.S |266 +-
 tests/tcg/xtensa/test_fp0_conv.S  |299 +-
 tests/tcg/xtensa/test_fp0_div.S   | 82 +
 tests/tcg/xtensa/test_fp0_sqrt.S  | 76 +
 tests/tcg/xtensa/test_fp1.S   | 62 +-
 tests/tcg/xtensa/test_lsc.S   |170 +-
 31 files changed, 198354 insertions(+), 542 deletions(-)
 create mode 100644 target/xtensa/core-DE_233L_FPU.c
 create mode 100644 target/xtensa/core-DE_233L_FPU/core-isa.h
 create mode 100644 target/xtensa/core-DE_233L_FPU/core-matmap.h
 create mode 100644 target/xtensa/core-DE_233L_FPU/gdb-config.inc.c
 create mode 100644 target/xtensa/core-DE_233L_FPU/xtensa-modules.inc.c
 create mode 100644 target/xtensa/core-dsp3400.c
 create mode 100644 target/xtensa/core-dsp3400/core-isa.h
 create mode 100644 target/xtensa/core-dsp3400/core-matmap.h
 create mode 100644 target/xtensa/core-dsp3400/gdb-config.inc.c
 create mode 100644 target/xtensa/core-dsp3400/xtensa-modules.inc.c
 create mode 100644 tests/tcg/xtensa/fpu.h
 create mode 100644 tests/tcg/xtensa/test_dfp0_arith.S
 create mode 100644 tests/tcg/xtensa/test_fp0_div.S
 create mode 100644 tests/tcg/xtensa/test_fp0_sqrt.S

-- 
2.20.1

[PATCH 03/21] softfloat: add xtensa specialization for pickNaNMulAdd

[Max Filippov]

pickNaNMulAdd logic on Xtensa is the same as pickNaN when applied to
the expression (a * b) + c. So with two pickNaN variants there must be
two pickNaNMulAdd variants.

Cc: Peter Maydell 
Cc: "Alex Bennée" 
Signed-off-by: Max Filippov 
---
 fpu/softfloat-specialize.inc.c | 18 ++
 1 file changed, 18 insertions(+)

diff --git a/fpu/softfloat-specialize.inc.c b/fpu/softfloat-specialize.inc.c
index e17327b405c5..6b07d50efad3 100644
--- a/fpu/softfloat-specialize.inc.c
+++ b/fpu/softfloat-specialize.inc.c
@@ -574,6 +574,24 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass 
b_cls, FloatClass c_cls,
 } else {
 return 1;
 }
+#elif defined(TARGET_XTENSA)
+if (status->use_first_nan) {
+if (is_nan(a_cls)) {
+return 0;
+} else if (is_nan(b_cls)) {
+return 1;
+} else {
+return 2;
+}
+} else {
+if (is_nan(c_cls)) {
+return 2;
+} else if (is_nan(b_cls)) {
+return 1;
+} else {
+return 0;
+}
+}
 #else
 /* A default implementation: prefer a to b to c.
  * This is unlikely to actually match any real implementation.
-- 
2.20.1

[PATCH 02/21] softfloat: pass float_status pointer to pickNaN

[Max Filippov]

Pass float_status structure pointer to the pickNaN so that
machine-specific settings are available to NaN selection code.
Add use_first_nan property to float_status and use it in Xtensa-specific
pickNaN.

Cc: Peter Maydell 
Cc: "Alex Bennée" 
Signed-off-by: Max Filippov 
---
 fpu/softfloat-specialize.inc.c  | 30 --
 fpu/softfloat.c |  2 +-
 include/fpu/softfloat-helpers.h |  5 +
 include/fpu/softfloat-types.h   |  1 +
 4 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/fpu/softfloat-specialize.inc.c b/fpu/softfloat-specialize.inc.c
index b26bc039b0b6..e17327b405c5 100644
--- a/fpu/softfloat-specialize.inc.c
+++ b/fpu/softfloat-specialize.inc.c
@@ -368,7 +368,7 @@ static float32 commonNaNToFloat32(commonNaNT a, 
float_status *status)
 **/
 
 static int pickNaN(FloatClass a_cls, FloatClass b_cls,
-   bool aIsLargerSignificand)
+   bool aIsLargerSignificand, float_status *status)
 {
 #if defined(TARGET_ARM) || defined(TARGET_MIPS) || defined(TARGET_HPPA)
 /* ARM mandated NaN propagation rules (see FPProcessNaNs()), take
@@ -401,7 +401,7 @@ static int pickNaN(FloatClass a_cls, FloatClass b_cls,
 } else {
 return 1;
 }
-#elif defined(TARGET_PPC) || defined(TARGET_XTENSA) || defined(TARGET_M68K)
+#elif defined(TARGET_PPC) || defined(TARGET_M68K)
 /* PowerPC propagation rules:
  *  1. A if it sNaN or qNaN
  *  2. B if it sNaN or qNaN
@@ -426,6 +426,24 @@ static int pickNaN(FloatClass a_cls, FloatClass b_cls,
 } else {
 return 1;
 }
+#elif defined(TARGET_XTENSA)
+/*
+ * Xtensa has two NaN propagation modes.
+ * Which one is active is controlled by float_status::use_first_nan.
+ */
+if (status->use_first_nan) {
+if (is_nan(a_cls)) {
+return 0;
+} else {
+return 1;
+}
+} else {
+if (is_nan(b_cls)) {
+return 1;
+} else {
+return 0;
+}
+}
 #else
 /* This implements x87 NaN propagation rules:
  * SNaN + QNaN => return the QNaN
@@ -613,7 +631,7 @@ static float32 propagateFloat32NaN(float32 a, float32 b, 
float_status *status)
 aIsLargerSignificand = (av < bv) ? 1 : 0;
 }
 
-if (pickNaN(a_cls, b_cls, aIsLargerSignificand)) {
+if (pickNaN(a_cls, b_cls, aIsLargerSignificand, status)) {
 if (is_snan(b_cls)) {
 return float32_silence_nan(b, status);
 }
@@ -751,7 +769,7 @@ static float64 propagateFloat64NaN(float64 a, float64 b, 
float_status *status)
 aIsLargerSignificand = (av < bv) ? 1 : 0;
 }
 
-if (pickNaN(a_cls, b_cls, aIsLargerSignificand)) {
+if (pickNaN(a_cls, b_cls, aIsLargerSignificand, status)) {
 if (is_snan(b_cls)) {
 return float64_silence_nan(b, status);
 }
@@ -915,7 +933,7 @@ floatx80 propagateFloatx80NaN(floatx80 a, floatx80 b, 
float_status *status)
 aIsLargerSignificand = (a.high < b.high) ? 1 : 0;
 }
 
-if (pickNaN(a_cls, b_cls, aIsLargerSignificand)) {
+if (pickNaN(a_cls, b_cls, aIsLargerSignificand, status)) {
 if (is_snan(b_cls)) {
 return floatx80_silence_nan(b, status);
 }
@@ -1063,7 +1081,7 @@ static float128 propagateFloat128NaN(float128 a, float128 
b,
 aIsLargerSignificand = (a.high < b.high) ? 1 : 0;
 }
 
-if (pickNaN(a_cls, b_cls, aIsLargerSignificand)) {
+if (pickNaN(a_cls, b_cls, aIsLargerSignificand, status)) {
 if (is_snan(b_cls)) {
 return float128_silence_nan(b, status);
 }
diff --git a/fpu/softfloat.c b/fpu/softfloat.c
index 5e9746c2876f..a89056a1816e 100644
--- a/fpu/softfloat.c
+++ b/fpu/softfloat.c
@@ -881,7 +881,7 @@ static FloatParts pick_nan(FloatParts a, FloatParts b, 
float_status *s)
 } else {
 if (pickNaN(a.cls, b.cls,
 a.frac > b.frac ||
-(a.frac == b.frac && a.sign < b.sign))) {
+(a.frac == b.frac && a.sign < b.sign), s)) {
 a = b;
 }
 if (is_snan(a.cls)) {
diff --git a/include/fpu/softfloat-helpers.h b/include/fpu/softfloat-helpers.h
index e842f83a1285..2f0674fbddec 100644
--- a/include/fpu/softfloat-helpers.h
+++ b/include/fpu/softfloat-helpers.h
@@ -95,6 +95,11 @@ static inline void set_snan_bit_is_one(bool val, 
float_status *status)
 status->snan_bit_is_one = val;
 }
 
+static inline void set_use_first_nan(bool val, float_status *status)
+{
+status->use_first_nan = val;
+}
+
 static inline void set_no_signaling_nans(bool val, float_status *status)
 {
 status->no_signaling_nans = val;
diff --git a/include/fpu/softfloat-types.h b/include/fpu/softfloat-types.h
index 10bd208e559f..aaee6e4cdd23 100644
--- a/include/fpu/softfloat-types.h
+++ b/include/fpu/softfloat-types.h
@@ -167,6 +167,7 @@ typedef struct float_status {
 bool defa

Re: [PULL v2 12/64] target/riscv: add vector amo operations

[Alistair Francis]

On Sun, Jul 5, 2020 at 11:20 AM Peter Maydell  wrote:
>
> On Thu, 2 Jul 2020 at 17:33, Alistair Francis  
> wrote:
> >
> > From: LIU Zhiwei 
> >
> > Vector AMOs operate as if aq and rl bits were zero on each element
> > with regard to ordering relative to other instructions in the same hart.
> > Vector AMOs provide no ordering guarantee between element operations
> > in the same vector AMO instruction
>
> Hi; Coverity thinks (probably wrongly) that there might be an array
> overflow here:
>
> > +static bool amo_op(DisasContext *s, arg_rwdvm *a, uint8_t seq)
> > +{
> > +uint32_t data = 0;
> > +gen_helper_amo *fn;
> > +static gen_helper_amo *const fnsw[9] = {
>
> This is a 9-element array...
>
> > +/* no atomic operation */
> > +gen_helper_vamoswapw_v_w,
> > +gen_helper_vamoaddw_v_w,
> > +gen_helper_vamoxorw_v_w,
> > +gen_helper_vamoandw_v_w,
> > +gen_helper_vamoorw_v_w,
> > +gen_helper_vamominw_v_w,
> > +gen_helper_vamomaxw_v_w,
> > +gen_helper_vamominuw_v_w,
> > +gen_helper_vamomaxuw_v_w
> > +};
>
> > +if (tb_cflags(s->base.tb) & CF_PARALLEL) {
> > +gen_helper_exit_atomic(cpu_env);
> > +s->base.is_jmp = DISAS_NORETURN;
> > +return true;
> > +} else {
> > +if (s->sew == 3) {
> > +#ifdef TARGET_RISCV64
> > +fn = fnsd[seq];
> > +#else
> > +/* Check done in amo_check(). */
> > +g_assert_not_reached();
> > +#endif
> > +} else {
> > +fn = fnsw[seq];
>
> ...which we here index via 'seq'...
>
>
> > +#ifdef TARGET_RISCV64
> > +GEN_VEXT_TRANS(vamoswapd_v, 9, rwdvm, amo_op, amo_check)
> > +GEN_VEXT_TRANS(vamoaddd_v, 10, rwdvm, amo_op, amo_check)
> > +GEN_VEXT_TRANS(vamoxord_v, 11, rwdvm, amo_op, amo_check)
> > +GEN_VEXT_TRANS(vamoandd_v, 12, rwdvm, amo_op, amo_check)
> > +GEN_VEXT_TRANS(vamoord_v, 13, rwdvm, amo_op, amo_check)
> > +GEN_VEXT_TRANS(vamomind_v, 14, rwdvm, amo_op, amo_check)
> > +GEN_VEXT_TRANS(vamomaxd_v, 15, rwdvm, amo_op, amo_check)
> > +GEN_VEXT_TRANS(vamominud_v, 16, rwdvm, amo_op, amo_check)
> > +GEN_VEXT_TRANS(vamomaxud_v, 17, rwdvm, amo_op, amo_check)
> > +#endif
>
> ...which in the calls that these macros expand out to can
> be 9 or greater.
>
> If it's in fact impossible to get into that code path
> with a value of seq that's larger than the array, it
> would help Coverity if we asserted so, maybe
>assert(seq < ARRAY_SIZE(fnsw));
>
> This is CID 1430177, 1430178, 1430179, 1430180, 1430181,
> 1430182, 1430183, 1430184, 1430185, 14305186.

@ LIU Zhiwei can you please look into this and send a patch with a fix?

Alistair

>
> thanks
> -- PMM

Re: [PATCH 08/26] hw/usb/hcd-dwc2: Restrict 'dwc2-regs.h' scope

[Paul Zimmerman]

On Sat, Jul 4, 2020 at 7:50 AM Philippe Mathieu-Daudé 
wrote:

> We only use these register definitions in files under the
> hw/usb/ directory. Keep that header local by moving it there.
>
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
>  {include/hw => hw}/usb/dwc2-regs.h | 0
>  hw/usb/hcd-dwc2.c  | 2 +-
>  2 files changed, 1 insertion(+), 1 deletion(-)
>  rename {include/hw => hw}/usb/dwc2-regs.h (100%)
>
> diff --git a/include/hw/usb/dwc2-regs.h b/hw/usb/dwc2-regs.h
> similarity index 100%
> rename from include/hw/usb/dwc2-regs.h
> rename to hw/usb/dwc2-regs.h
> diff --git a/hw/usb/hcd-dwc2.c b/hw/usb/hcd-dwc2.c
> index ccf05d0823..252b60ef65 100644
> --- a/hw/usb/hcd-dwc2.c
> +++ b/hw/usb/hcd-dwc2.c
> @@ -34,7 +34,6 @@
>  #include "qemu/osdep.h"
>  #include "qemu/units.h"
>  #include "qapi/error.h"
> -#include "hw/usb/dwc2-regs.h"
>  #include "hw/usb/hcd-dwc2.h"
>  #include "hw/irq.h"
>  #include "sysemu/dma.h"
> @@ -43,6 +42,7 @@
>  #include "qemu/timer.h"
>  #include "qemu/log.h"
>  #include "hw/qdev-properties.h"
> +#include "dwc2-regs.h"
>
>  #define USB_HZ_FS   1200
>  #define USB_HZ_HS   9600
> --
> 2.21.3
>
>
Reviewed-by: Paul Zimmerman 

Re: [PATCH 06/26] hw/usb/hcd-dwc2: Remove unnecessary includes

[Paul Zimmerman]

On Sat, Jul 4, 2020 at 7:50 AM Philippe Mathieu-Daudé 
wrote:

> "qemu/error-report.h" and "qemu/main-loop.h" are not used.
> Remove them.
>
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
>  hw/usb/hcd-dwc2.c | 2 --
>  1 file changed, 2 deletions(-)
>
> diff --git a/hw/usb/hcd-dwc2.c b/hw/usb/hcd-dwc2.c
> index 72cbd051f3..590e75b455 100644
> --- a/hw/usb/hcd-dwc2.c
> +++ b/hw/usb/hcd-dwc2.c
> @@ -39,8 +39,6 @@
>  #include "migration/vmstate.h"
>  #include "trace.h"
>  #include "qemu/log.h"
> -#include "qemu/error-report.h"
> -#include "qemu/main-loop.h"
>  #include "hw/qdev-properties.h"
>
>  #define USB_HZ_FS   1200
> --
> 2.21.3
>
>
Reviewed-by: Paul Zimmerman 

Re: [PATCH 07/26] hw/usb/hcd-dwc2: Restrict some headers to source

[Paul Zimmerman]

On Sat, Jul 4, 2020 at 7:50 AM Philippe Mathieu-Daudé 
wrote:

> The header "usb/hcd-dwc2.h" doesn't need to include "qemu/timer.h",
> "sysemu/dma.h", "hw/irq.h" (the types required are forward declared).
> Include them in the source file which is the only one requiring the
> function declarations.
>
> Signed-off-by: Philippe Mathieu-Daudé 
> ---
>  hw/usb/hcd-dwc2.h | 3 ---
>  hw/usb/hcd-dwc2.c | 3 +++
>  2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/hw/usb/hcd-dwc2.h b/hw/usb/hcd-dwc2.h
> index 4ba809a07b..2adf0f53c7 100644
> --- a/hw/usb/hcd-dwc2.h
> +++ b/hw/usb/hcd-dwc2.h
> @@ -19,11 +19,8 @@
>  #ifndef HW_USB_DWC2_H
>  #define HW_USB_DWC2_H
>
> -#include "qemu/timer.h"
> -#include "hw/irq.h"
>  #include "hw/sysbus.h"
>  #include "hw/usb.h"
> -#include "sysemu/dma.h"
>
>  #define DWC2_MMIO_SIZE  0x11000
>
> diff --git a/hw/usb/hcd-dwc2.c b/hw/usb/hcd-dwc2.c
> index 590e75b455..ccf05d0823 100644
> --- a/hw/usb/hcd-dwc2.c
> +++ b/hw/usb/hcd-dwc2.c
> @@ -36,8 +36,11 @@
>  #include "qapi/error.h"
>  #include "hw/usb/dwc2-regs.h"
>  #include "hw/usb/hcd-dwc2.h"
> +#include "hw/irq.h"
> +#include "sysemu/dma.h"
>  #include "migration/vmstate.h"
>  #include "trace.h"
> +#include "qemu/timer.h"
>  #include "qemu/log.h"
>  #include "hw/qdev-properties.h"
>
> --
> 2.21.3
>
>
Reviewed-by: Paul Zimmerman 

Re: Failure prints during format or mounting a usb storage device

[Paul Zimmerman]

On 7/6/20 3:21 PM, Paul Zimmerman wrote:


On Sat, Jul 4, 2020 at 11:24 AM Paul Zimmerman mailto:pauld...@gmail.com>> wrote:



On Sat, Jul 4, 2020 at 11:21 AM Sai Pavan Boddu mailto:saip...@xilinx.com>> wrote:

Hi,

__ __

We are seeing some errors when a usb-storage device is formatted or 
mounted on the guest. Below is commit I have bisected it.

__ __

**

Errors:

__ __

/ # mount /dev/sda /mnt

[New Thread 0x7fffd4680700 (LWP 23270)]

[   33.258454] usb 2-1: reset SuperSpeed Gen 1 USB device number 2 
using xhci_hcd

[   33.399528] usb 2-1: reset SuperSpeed Gen 1 USB device number 2 
using xhci_hcd

[   33.544621] usb 2-1: reset SuperSpeed Gen 1 USB device number 2 
using xhci_hcd

[   33.560460] sd 2:0:0:0: [sda] tag#0 FAILED Result: 
hostbyte=DID_ERROR driverbyte=DRIVER_OK

[   33.562405] sd 2:0:0:0: [sda] tag#0 CDB: Read(10) 28 00 00 00 10 00 
00 00 01 00

[   33.563389] blk_update_request: I/O error, dev sda, sector 4096 op 
0x0:(READ) flags 0x80700 phys_seg 1 prio class 0

/ # [Thread 0x7fffd4680700 (LWP 23270) exited]

__ __



Bisect commit :

__ __

commit 7ad3d51ebb8a522ffcad391c4bef281245739dde

Author: Paul Zimmerman mailto:pauld...@gmail.com>>

Date:   Wed May 20 16:53:47 2020 -0700

__ __

     usb: add short-packet handling to usb-storage driver

__ __

     The dwc-hsotg (dwc2) USB host depends on a short packet to

     indicate the end of an IN transfer. The usb-storage driver

     currently doesn't provide this, so fix it.

__ __

     I have tested this change rather extensively using a PC

     emulation with xhci, ehci, and uhci controllers, and have

     not observed any regressions.

__ __

     Signed-off-by: Paul Zimmerman mailto:pauld...@gmail.com>>

     Message-id: 20200520235349.21215-6-pauld...@gmail.com 


     Signed-off-by: Peter Maydell peter.mayd...@linaro.org 


__ __

=

Steps to reproduce:

 1. x86_64-softmmu/qemu-system-x86_64 -kernel bzImage -nographic -append 
"console=ttyS0" -m 512M -initrd initramfs.cpio.gz -device qemu-xhci,id=xhci1 
-drive file=./usb.img,if=none,id=stick
 2. Hotplug usb-storage:

         device_add 
usb-storage,bus=xhci1.0,port=1,id=usbdev1,drive=stick

 3. Format &  mount the detected device

mkfs.vfat -F 32 /dev/sda
mount /dev/sda /mnt

You can find the similar errors mentioned above at this stage.



Test Environment:

    Host:  Ubuntu 16.04 LTS

    Guest:  kernel version: 5.4.0 & BusyBox v1.31.1

__ __

Thanks & Regards,

Sai Pavan

__ __

I can try to reproduce this on Monday, if no one beats me to it.



I am able to reproduce this. Despite the errors in dmesg, the drive
does end up mounting and working OK, which is probably why I didn’t
spot it during testing. Sai, does the drive work OK for you too
despite the errors?

Thanks,
Paul


Gerd, do you know the purpose of the 'short_not_ok' parameter to
usb_packet_setup()? The simple patch below fixes the reported problem,
but I don't know if it could cause some other problems for XHCI.
hcd-ehci, hcd-ohci, hcd-uhci all set the parameter conditionally,
but hcd-xhci never sets it. I don't understand the purpose of the
parameter myself.

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index b330e36fe6..9fb96fdd66 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -1614,7 +1614,7 @@ static int xhci_setup_packet(XHCITransfer *xfer)
 
 xhci_xfer_create_sgl(xfer, dir == USB_TOKEN_IN); /* Also sets int_req */
 
 xhci_xfer_create_sgl(xfer, dir == USB_TOKEN_IN); /* Also sets int_req */

 usb_packet_setup(&xfer->packet, dir, ep, xfer->streamid,
- xfer->trbs[0].addr, false, xfer->int_req);
+ xfer->trbs[0].addr, dir == USB_TOKEN_IN, xfer->int_req);
 usb_packet_map(&xfer->packet, &xfer->sgl);
 DPRINTF("xhci: setup packet pid 0x%x addr %d ep %d\n",
 xfer->packet.pid, ep->dev->addr, ep->nr);

Thanks,
Paul

Re: Failure prints during format or mounting a usb storage device

[Paul Zimmerman]

On Sat, Jul 4, 2020 at 11:24 AM Paul Zimmerman  wrote:

>
>
> On Sat, Jul 4, 2020 at 11:21 AM Sai Pavan Boddu 
> wrote:
>
>> Hi,
>>
>>
>>
>> We are seeing some errors when a usb-storage device is formatted or
>> mounted on the guest. Below is commit I have bisected it.
>>
>>
>>
>> **
>>
>> Errors:
>>
>>
>>
>> / # mount /dev/sda /mnt
>>
>> [New Thread 0x7fffd4680700 (LWP 23270)]
>>
>> [   33.258454] usb 2-1: reset SuperSpeed Gen 1 USB device number 2 using
>> xhci_hcd
>>
>> [   33.399528] usb 2-1: reset SuperSpeed Gen 1 USB device number 2 using
>> xhci_hcd
>>
>> [   33.544621] usb 2-1: reset SuperSpeed Gen 1 USB device number 2 using
>> xhci_hcd
>>
>> [   33.560460] sd 2:0:0:0: [sda] tag#0 FAILED Result: hostbyte=DID_ERROR
>> driverbyte=DRIVER_OK
>>
>> [   33.562405] sd 2:0:0:0: [sda] tag#0 CDB: Read(10) 28 00 00 00 10 00 00
>> 00 01 00
>>
>> [   33.563389] blk_update_request: I/O error, dev sda, sector 4096 op
>> 0x0:(READ) flags 0x80700 phys_seg 1 prio class 0
>>
>> / # [Thread 0x7fffd4680700 (LWP 23270) exited]
>>
>>
>>
>> 
>>
>> Bisect commit :
>>
>>
>>
>> commit 7ad3d51ebb8a522ffcad391c4bef281245739dde
>>
>> Author: Paul Zimmerman 
>>
>> Date:   Wed May 20 16:53:47 2020 -0700
>>
>>
>>
>> usb: add short-packet handling to usb-storage driver
>>
>>
>>
>> The dwc-hsotg (dwc2) USB host depends on a short packet to
>>
>> indicate the end of an IN transfer. The usb-storage driver
>>
>> currently doesn't provide this, so fix it.
>>
>>
>>
>> I have tested this change rather extensively using a PC
>>
>> emulation with xhci, ehci, and uhci controllers, and have
>>
>> not observed any regressions.
>>
>>
>>
>> Signed-off-by: Paul Zimmerman 
>>
>> Message-id: 20200520235349.21215-6-pauld...@gmail.com
>>
>> Signed-off-by: Peter Maydell peter.mayd...@linaro.org
>>
>>
>>
>> =
>>
>> Steps to reproduce:
>>
>>1. x86_64-softmmu/qemu-system-x86_64 -kernel bzImage -nographic
>>-append "console=ttyS0" -m 512M -initrd initramfs.cpio.gz -device
>>qemu-xhci,id=xhci1 -drive file=./usb.img,if=none,id=stick
>>2. Hotplug usb-storage:
>>
>> device_add
>> usb-storage,bus=xhci1.0,port=1,id=usbdev1,drive=stick
>>
>>1. Format &  mount the detected device
>>
>> mkfs.vfat -F 32 /dev/sda
>> mount /dev/sda /mnt
>>
>> You can find the similar errors mentioned above at this stage.
>>
>> Test Environment:
>>
>>Host:  Ubuntu 16.04 LTS
>>
>>Guest:  kernel version: 5.4.0 & BusyBox v1.31.1
>>
>>
>>
>> Thanks & Regards,
>>
>> Sai Pavan
>>
>>
>>
> I can try to reproduce this on Monday, if no one beats me to it.
>

>
I am able to reproduce this. Despite the errors in dmesg, the drive does
end up mounting and working OK, which is probably why I didn’t spot it
during testing.
Sai, does the drive work OK for you too despite the errors?

Thanks,
Paul

[PATCH 1/2] tpm: tpm_spapr: Exit on TPM backend failures

[Stefan Berger]

Exit on TPM backend failures in the same way as the TPM CRB and TIS device
models do.

Signed-off-by: Stefan Berger 
---
 hw/tpm/tpm_spapr.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hw/tpm/tpm_spapr.c b/hw/tpm/tpm_spapr.c
index cb4dfd1e6a..8288ab0a15 100644
--- a/hw/tpm/tpm_spapr.c
+++ b/hw/tpm/tpm_spapr.c
@@ -306,7 +306,10 @@ static void tpm_spapr_reset(SpaprVioDevice *dev)
 TPM_SPAPR_BUFFER_MAX);
 
 tpm_backend_reset(s->be_driver);
-tpm_spapr_do_startup_tpm(s, s->be_buffer_size);
+
+if (tpm_spapr_do_startup_tpm(s, s->be_buffer_size) < 0) {
+exit(1);
+}
 }
 
 static enum TPMVersion tpm_spapr_get_version(TPMIf *ti)
-- 
2.24.1

[PATCH 0/2] tpm: Some fixes

[Stefan Berger]

This series of patches fixes the TPM SPAPR device model so that it reacts
in the same way as the other device models do when the backend device did
not start up properly. It now calls exit(1).

Also, due to a change in the TPM 2 code, the pcrUpdate counter now returns
a different value than before. So it's better to skip the first 14 bytes of
of the TPM 2 response when comparing the responses.

   Stefan

Stefan Berger (2):
  tpm: tpm_spapr: Exit on TPM backend failures
  tests: Skip over first 14 bytes when comparing TPM PCRRead result

 hw/tpm/tpm_spapr.c  | 5 -
 tests/qtest/tpm-tests.c | 6 +++---
 tests/qtest/tpm-util.c  | 6 --
 tests/qtest/tpm-util.h  | 3 ++-
 4 files changed, 13 insertions(+), 7 deletions(-)

-- 
2.24.1

[PATCH 2/2] tests: Skip over first 14 bytes when comparing TPM PCRRead result

[Stefan Berger]

Due to a change in the TPM 2 code the pcrUpdate counter in the
PCRRead response is now different. The easiest way is to skip over
the first 14 bytes and only compare the tail of the response.

Signed-off-by: Stefan Berger 
---
 tests/qtest/tpm-tests.c | 6 +++---
 tests/qtest/tpm-util.c  | 6 --
 tests/qtest/tpm-util.h  | 3 ++-
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/tests/qtest/tpm-tests.c b/tests/qtest/tpm-tests.c
index a2f2838e15..8f6491a4b7 100644
--- a/tests/qtest/tpm-tests.c
+++ b/tests/qtest/tpm-tests.c
@@ -65,7 +65,7 @@ void tpm_test_swtpm_test(const char *src_tpm_path, tx_func 
*tx,
 "\x98\xe5\x86\x8d\xe6\x8b\x97\x29\x99\x60\xf2\x71\x7d\x17\x67\x89"
 "\xa4\x2f\x9a\xae\xa8\xc7\xb7\xaa\x79\xa8\x62\x56\xc1\xde";
 tpm_util_pcrread(s, tx, tpm_pcrread_resp,
- sizeof(tpm_pcrread_resp));
+ sizeof(tpm_pcrread_resp), 14);
 
 qtest_end();
 tpm_util_swtpm_kill(swtpm_pid);
@@ -113,13 +113,13 @@ void tpm_test_swtpm_migration_test(const char 
*src_tpm_path,
 "\x98\xe5\x86\x8d\xe6\x8b\x97\x29\x99\x60\xf2\x71\x7d\x17\x67\x89"
 "\xa4\x2f\x9a\xae\xa8\xc7\xb7\xaa\x79\xa8\x62\x56\xc1\xde";
 tpm_util_pcrread(src_qemu, tx, tpm_pcrread_resp,
- sizeof(tpm_pcrread_resp));
+ sizeof(tpm_pcrread_resp), 14);
 
 tpm_util_migrate(src_qemu, uri);
 tpm_util_wait_for_migration_complete(src_qemu);
 
 tpm_util_pcrread(dst_qemu, tx, tpm_pcrread_resp,
- sizeof(tpm_pcrread_resp));
+ sizeof(tpm_pcrread_resp), 14);
 
 qtest_quit(dst_qemu);
 qtest_quit(src_qemu);
diff --git a/tests/qtest/tpm-util.c b/tests/qtest/tpm-util.c
index 34efae8f18..df85e23432 100644
--- a/tests/qtest/tpm-util.c
+++ b/tests/qtest/tpm-util.c
@@ -130,7 +130,8 @@ void tpm_util_pcrextend(QTestState *s, tx_func *tx)
 }
 
 void tpm_util_pcrread(QTestState *s, tx_func *tx,
-  const unsigned char *exp_resp, size_t exp_resp_size)
+  const unsigned char *exp_resp, size_t exp_resp_size,
+  off_t offset)
 {
 unsigned char buffer[1024];
 unsigned char tpm_pcrread[] =
@@ -139,7 +140,8 @@ void tpm_util_pcrread(QTestState *s, tx_func *tx,
 
 tx(s, tpm_pcrread, sizeof(tpm_pcrread), buffer, sizeof(buffer));
 
-g_assert_cmpmem(buffer, exp_resp_size, exp_resp, exp_resp_size);
+g_assert_cmpmem(&buffer[offset], exp_resp_size - offset,
+&exp_resp[offset], exp_resp_size - offset);
 }
 
 bool tpm_util_swtpm_has_tpm2(void)
diff --git a/tests/qtest/tpm-util.h b/tests/qtest/tpm-util.h
index 3b97d69017..d6f4c17218 100644
--- a/tests/qtest/tpm-util.h
+++ b/tests/qtest/tpm-util.h
@@ -34,7 +34,8 @@ void tpm_util_tis_transfer(QTestState *s,
 void tpm_util_startup(QTestState *s, tx_func *tx);
 void tpm_util_pcrextend(QTestState *s, tx_func *tx);
 void tpm_util_pcrread(QTestState *s, tx_func *tx,
-  const unsigned char *exp_resp, size_t exp_resp_size);
+  const unsigned char *exp_resp, size_t exp_resp_size,
+  off_t offset);
 
 bool tpm_util_swtpm_has_tpm2(void);
 
-- 
2.24.1

Re: [PATCH v3] SEV: QMP support for Inject-Launch-Secret

[tobin]

On 2020-07-06 17:54, Tobin Feldman-Fitzthum wrote:

Not sure if v3 is necessary, but here it is.
Fixed the 32-bit issues and removed the checks
on header and secret length. I agree with Brijesh
that those are best left to the PSP, which
returns somewhat helpful errors if either are incorrect.

Having a check in QEMU might be a handy hint for
developers who are trying to formulate a valid
secret, but it is easy enough to find the requirements
in the spec. This way we do not need to worry about
the secret format changing in future versions.



AMD SEV allows a guest owner to inject a secret blob
into the memory of a virtual machine. The secret is
encrypted with the SEV Transport Encryption Key and
integrity is guaranteed with the Transport Integrity
Key. Although QEMU faciliates the injection of the
launch secret, it cannot access the secret.

Signed-off-by: Tobin Feldman-Fitzthum 
---
 include/monitor/monitor.h |  3 ++
 include/sysemu/sev.h  |  2 ++
 monitor/misc.c|  8 ++---
 qapi/misc-target.json | 18 +++
 target/i386/monitor.c |  9 ++
 target/i386/sev-stub.c|  5 +++
 target/i386/sev.c | 66 +++
 target/i386/trace-events  |  1 +
 8 files changed, 108 insertions(+), 4 deletions(-)

diff --git a/include/monitor/monitor.h b/include/monitor/monitor.h
index 1018d754a6..bf049c5b00 100644
--- a/include/monitor/monitor.h
+++ b/include/monitor/monitor.h
@@ -4,6 +4,7 @@
 #include "block/block.h"
 #include "qapi/qapi-types-misc.h"
 #include "qemu/readline.h"
+#include "include/exec/hwaddr.h"

 extern __thread Monitor *cur_mon;
 typedef struct MonitorHMP MonitorHMP;
@@ -36,6 +37,8 @@ void monitor_flush(Monitor *mon);
 int monitor_set_cpu(int cpu_index);
 int monitor_get_cpu_index(void);

+void *gpa2hva(MemoryRegion **p_mr, hwaddr addr, uint64_t size, Error 
**errp);

+
 void monitor_read_command(MonitorHMP *mon, int show_prompt);
 int monitor_read_password(MonitorHMP *mon, ReadLineFunc 
*readline_func,

   void *opaque);
diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h
index 98c1ec8d38..b279b293e8 100644
--- a/include/sysemu/sev.h
+++ b/include/sysemu/sev.h
@@ -18,4 +18,6 @@

 void *sev_guest_init(const char *id);
 int sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len);
+int sev_inject_launch_secret(const char *hdr, const char *secret,
+ uint64_t gpa);
 #endif
diff --git a/monitor/misc.c b/monitor/misc.c
index 89bb970b00..b9ec8ba410 100644
--- a/monitor/misc.c
+++ b/monitor/misc.c
@@ -674,10 +674,10 @@ static void hmp_physical_memory_dump(Monitor
*mon, const QDict *qdict)
 memory_dump(mon, count, format, size, addr, 1);
 }

-static void *gpa2hva(MemoryRegion **p_mr, hwaddr addr, Error **errp)
+void *gpa2hva(MemoryRegion **p_mr, hwaddr addr, uint64_t size, Error 
**errp)

 {
 MemoryRegionSection mrs = memory_region_find(get_system_memory(),
- addr, 1);
+ addr, size);

 if (!mrs.mr) {
 error_setg(errp, "No memory is mapped at address 0x%"
HWADDR_PRIx, addr);
@@ -701,7 +701,7 @@ static void hmp_gpa2hva(Monitor *mon, const QDict 
*qdict)

 MemoryRegion *mr = NULL;
 void *ptr;

-ptr = gpa2hva(&mr, addr, &local_err);
+ptr = gpa2hva(&mr, addr, 1, &local_err);
 if (local_err) {
 error_report_err(local_err);
 return;
@@ -777,7 +777,7 @@ static void hmp_gpa2hpa(Monitor *mon, const QDict 
*qdict)

 void *ptr;
 uint64_t physaddr;

-ptr = gpa2hva(&mr, addr, &local_err);
+ptr = gpa2hva(&mr, addr, 1, &local_err);
 if (local_err) {
 error_report_err(local_err);
 return;
diff --git a/qapi/misc-target.json b/qapi/misc-target.json
index dee3b45930..d145f916b3 100644
--- a/qapi/misc-target.json
+++ b/qapi/misc-target.json
@@ -200,6 +200,24 @@
 { 'command': 'query-sev-capabilities', 'returns': 'SevCapability',
   'if': 'defined(TARGET_I386)' }

+##
+# @sev-inject-launch-secret:
+#
+# This command injects a secret blob into memory of SEV guest.
+#
+# @packet-header: the launch secret packet header encoded in base64
+#
+# @secret: the launch secret data to be injected encoded in base64
+#
+# @gpa: the guest physical address where secret will be injected.
+#
+# Since: 5.1
+#
+##
+{ 'command': 'sev-inject-launch-secret',
+  'data': { 'packet-header': 'str', 'secret': 'str', 'gpa': 'uint64' 
},

+  'if': 'defined(TARGET_I386)' }
+
 ##
 # @dump-skeys:
 #
diff --git a/target/i386/monitor.c b/target/i386/monitor.c
index 27ebfa3ad2..42bcfe6dc0 100644
--- a/target/i386/monitor.c
+++ b/target/i386/monitor.c
@@ -736,3 +736,12 @@ SevCapability *qmp_query_sev_capabilities(Error 
**errp)


 return data;
 }
+
+void qmp_sev_inject_launch_secret(const char *packet_hdr,
+  const char *secret, uint64_t gpa,
+  Error **errp)
+{
+if (sev_inject_launch_secr

[PATCH v3] SEV: QMP support for Inject-Launch-Secret

[Tobin Feldman-Fitzthum]

AMD SEV allows a guest owner to inject a secret blob
into the memory of a virtual machine. The secret is
encrypted with the SEV Transport Encryption Key and
integrity is guaranteed with the Transport Integrity
Key. Although QEMU faciliates the injection of the
launch secret, it cannot access the secret.

Signed-off-by: Tobin Feldman-Fitzthum 
---
 include/monitor/monitor.h |  3 ++
 include/sysemu/sev.h  |  2 ++
 monitor/misc.c|  8 ++---
 qapi/misc-target.json | 18 +++
 target/i386/monitor.c |  9 ++
 target/i386/sev-stub.c|  5 +++
 target/i386/sev.c | 66 +++
 target/i386/trace-events  |  1 +
 8 files changed, 108 insertions(+), 4 deletions(-)

diff --git a/include/monitor/monitor.h b/include/monitor/monitor.h
index 1018d754a6..bf049c5b00 100644
--- a/include/monitor/monitor.h
+++ b/include/monitor/monitor.h
@@ -4,6 +4,7 @@
 #include "block/block.h"
 #include "qapi/qapi-types-misc.h"
 #include "qemu/readline.h"
+#include "include/exec/hwaddr.h"
 
 extern __thread Monitor *cur_mon;
 typedef struct MonitorHMP MonitorHMP;
@@ -36,6 +37,8 @@ void monitor_flush(Monitor *mon);
 int monitor_set_cpu(int cpu_index);
 int monitor_get_cpu_index(void);
 
+void *gpa2hva(MemoryRegion **p_mr, hwaddr addr, uint64_t size, Error **errp);
+
 void monitor_read_command(MonitorHMP *mon, int show_prompt);
 int monitor_read_password(MonitorHMP *mon, ReadLineFunc *readline_func,
   void *opaque);
diff --git a/include/sysemu/sev.h b/include/sysemu/sev.h
index 98c1ec8d38..b279b293e8 100644
--- a/include/sysemu/sev.h
+++ b/include/sysemu/sev.h
@@ -18,4 +18,6 @@
 
 void *sev_guest_init(const char *id);
 int sev_encrypt_data(void *handle, uint8_t *ptr, uint64_t len);
+int sev_inject_launch_secret(const char *hdr, const char *secret,
+ uint64_t gpa);
 #endif
diff --git a/monitor/misc.c b/monitor/misc.c
index 89bb970b00..b9ec8ba410 100644
--- a/monitor/misc.c
+++ b/monitor/misc.c
@@ -674,10 +674,10 @@ static void hmp_physical_memory_dump(Monitor *mon, const 
QDict *qdict)
 memory_dump(mon, count, format, size, addr, 1);
 }
 
-static void *gpa2hva(MemoryRegion **p_mr, hwaddr addr, Error **errp)
+void *gpa2hva(MemoryRegion **p_mr, hwaddr addr, uint64_t size, Error **errp)
 {
 MemoryRegionSection mrs = memory_region_find(get_system_memory(),
- addr, 1);
+ addr, size);
 
 if (!mrs.mr) {
 error_setg(errp, "No memory is mapped at address 0x%" HWADDR_PRIx, 
addr);
@@ -701,7 +701,7 @@ static void hmp_gpa2hva(Monitor *mon, const QDict *qdict)
 MemoryRegion *mr = NULL;
 void *ptr;
 
-ptr = gpa2hva(&mr, addr, &local_err);
+ptr = gpa2hva(&mr, addr, 1, &local_err);
 if (local_err) {
 error_report_err(local_err);
 return;
@@ -777,7 +777,7 @@ static void hmp_gpa2hpa(Monitor *mon, const QDict *qdict)
 void *ptr;
 uint64_t physaddr;
 
-ptr = gpa2hva(&mr, addr, &local_err);
+ptr = gpa2hva(&mr, addr, 1, &local_err);
 if (local_err) {
 error_report_err(local_err);
 return;
diff --git a/qapi/misc-target.json b/qapi/misc-target.json
index dee3b45930..d145f916b3 100644
--- a/qapi/misc-target.json
+++ b/qapi/misc-target.json
@@ -200,6 +200,24 @@
 { 'command': 'query-sev-capabilities', 'returns': 'SevCapability',
   'if': 'defined(TARGET_I386)' }
 
+##
+# @sev-inject-launch-secret:
+#
+# This command injects a secret blob into memory of SEV guest.
+#
+# @packet-header: the launch secret packet header encoded in base64
+#
+# @secret: the launch secret data to be injected encoded in base64
+#
+# @gpa: the guest physical address where secret will be injected.
+#
+# Since: 5.1
+#
+##
+{ 'command': 'sev-inject-launch-secret',
+  'data': { 'packet-header': 'str', 'secret': 'str', 'gpa': 'uint64' },
+  'if': 'defined(TARGET_I386)' }
+
 ##
 # @dump-skeys:
 #
diff --git a/target/i386/monitor.c b/target/i386/monitor.c
index 27ebfa3ad2..42bcfe6dc0 100644
--- a/target/i386/monitor.c
+++ b/target/i386/monitor.c
@@ -736,3 +736,12 @@ SevCapability *qmp_query_sev_capabilities(Error **errp)
 
 return data;
 }
+
+void qmp_sev_inject_launch_secret(const char *packet_hdr,
+  const char *secret, uint64_t gpa,
+  Error **errp)
+{
+if (sev_inject_launch_secret(packet_hdr, secret, gpa) != 0) {
+error_setg(errp, "SEV inject secret failed");
+}
+}
diff --git a/target/i386/sev-stub.c b/target/i386/sev-stub.c
index e5ee13309c..fed4588185 100644
--- a/target/i386/sev-stub.c
+++ b/target/i386/sev-stub.c
@@ -48,3 +48,8 @@ SevCapability *sev_get_capabilities(void)
 {
 return NULL;
 }
+int sev_inject_launch_secret(const char *hdr, const char *secret,
+ uint64_t gpa)
+{
+return 1;
+}
diff --git a/target/i386/sev.c b/target/i386/sev.c
index d273174ad3..cbeb8f2e02 

[PATCH v2 3/3] virtio-balloon: Replace free page hinting references to 'report' with 'hint'

[Alexander Duyck]

From: Alexander Duyck 

Recently a feature named Free Page Reporting was added to the virtio
balloon. In order to avoid any confusion we should drop the use of the word
'report' when referring to Free Page Hinting. So what this patch does is go
through and replace all instances of 'report' with 'hint" when we are
referring to free page hinting.

Acked-by: David Hildenbrand 
Signed-off-by: Alexander Duyck 
---
 hw/virtio/virtio-balloon.c |   74 ++--
 include/hw/virtio/virtio-balloon.h |   20 +-
 2 files changed, 47 insertions(+), 47 deletions(-)

diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index b3e96a822b4d..a21e7c3db538 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -527,22 +527,22 @@ static bool get_free_page_hints(VirtIOBalloon *dev)
 ret = false;
 goto out;
 }
-if (dev->free_page_report_status == FREE_PAGE_REPORT_S_REQUESTED &&
-id == dev->free_page_report_cmd_id) {
-dev->free_page_report_status = FREE_PAGE_REPORT_S_START;
+if (dev->free_page_hint_status == FREE_PAGE_HINT_S_REQUESTED &&
+id == dev->free_page_hint_cmd_id) {
+dev->free_page_hint_status = FREE_PAGE_HINT_S_START;
 } else {
 /*
  * Stop the optimization only when it has started. This
  * avoids a stale stop sign for the previous command.
  */
-if (dev->free_page_report_status == FREE_PAGE_REPORT_S_START) {
-dev->free_page_report_status = FREE_PAGE_REPORT_S_STOP;
+if (dev->free_page_hint_status == FREE_PAGE_HINT_S_START) {
+dev->free_page_hint_status = FREE_PAGE_HINT_S_STOP;
 }
 }
 }
 
 if (elem->in_num) {
-if (dev->free_page_report_status == FREE_PAGE_REPORT_S_START) {
+if (dev->free_page_hint_status == FREE_PAGE_HINT_S_START) {
 qemu_guest_free_page_hint(elem->in_sg[0].iov_base,
   elem->in_sg[0].iov_len);
 }
@@ -568,11 +568,11 @@ static void virtio_ballloon_get_free_page_hints(void 
*opaque)
 qemu_mutex_unlock(&dev->free_page_lock);
 virtio_notify(vdev, vq);
   /*
-   * Start to poll the vq once the reporting started. Otherwise, continue
+   * Start to poll the vq once the hinting started. Otherwise, continue
* only when there are entries on the vq, which need to be given back.
*/
 } while (continue_to_get_hints ||
- dev->free_page_report_status == FREE_PAGE_REPORT_S_START);
+ dev->free_page_hint_status == FREE_PAGE_HINT_S_START);
 virtio_queue_set_notification(vq, 1);
 }
 
@@ -595,14 +595,14 @@ static void virtio_balloon_free_page_start(VirtIOBalloon 
*s)
 
 qemu_mutex_lock(&s->free_page_lock);
 
-if (s->free_page_report_cmd_id == UINT_MAX) {
-s->free_page_report_cmd_id =
-   VIRTIO_BALLOON_FREE_PAGE_REPORT_CMD_ID_MIN;
+if (s->free_page_hint_cmd_id == UINT_MAX) {
+s->free_page_hint_cmd_id =
+   VIRTIO_BALLOON_FREE_PAGE_HINT_CMD_ID_MIN;
 } else {
-s->free_page_report_cmd_id++;
+s->free_page_hint_cmd_id++;
 }
 
-s->free_page_report_status = FREE_PAGE_REPORT_S_REQUESTED;
+s->free_page_hint_status = FREE_PAGE_HINT_S_REQUESTED;
 qemu_mutex_unlock(&s->free_page_lock);
 
 virtio_notify_config(vdev);
@@ -612,18 +612,18 @@ static void virtio_balloon_free_page_stop(VirtIOBalloon 
*s)
 {
 VirtIODevice *vdev = VIRTIO_DEVICE(s);
 
-if (s->free_page_report_status != FREE_PAGE_REPORT_S_STOP) {
+if (s->free_page_hint_status != FREE_PAGE_HINT_S_STOP) {
 /*
  * The lock also guarantees us that the
  * virtio_ballloon_get_free_page_hints exits after the
- * free_page_report_status is set to S_STOP.
+ * free_page_hint_status is set to S_STOP.
  */
 qemu_mutex_lock(&s->free_page_lock);
 /*
- * The guest hasn't done the reporting, so host sends a notification
- * to the guest to actively stop the reporting.
+ * The guest isn't done hinting, so send a notification
+ * to the guest to actively stop the hinting.
  */
-s->free_page_report_status = FREE_PAGE_REPORT_S_STOP;
+s->free_page_hint_status = FREE_PAGE_HINT_S_STOP;
 qemu_mutex_unlock(&s->free_page_lock);
 virtio_notify_config(vdev);
 }
@@ -633,15 +633,15 @@ static void virtio_balloon_free_page_done(VirtIOBalloon 
*s)
 {
 VirtIODevice *vdev = VIRTIO_DEVICE(s);
 
-s->free_page_report_status = FREE_PAGE_REPORT_S_DONE;
+s->free_page_hint_status = FREE_PAGE_HINT_S_DONE;
 virtio_notify_config(vdev);
 }
 
 static int
-virtio_balloon_free_page_report_notify(NotifierWithReturn *n, void *data)
+virtio_balloon_free_page_hint_notify(NotifierWithReturn *n, void *data)
 {

[PATCH v2 2/3] virtio-balloon: Add locking to prevent possible race when starting hinting

[Alexander Duyck]

From: Alexander Duyck 

There is already locking in place when we are stopping free page hinting
but there is not similar protections in place when we start. I can only
assume this was overlooked as in most cases the page hinting should not be
occurring when we are starting the hinting, however there is still a chance
we could be processing hints by the time we get back around to restarting
the hinting so we are better off making sure to protect the state with the
mutex lock rather than just updating the value with no protections.

Signed-off-by: Alexander Duyck 
---
 hw/virtio/virtio-balloon.c |4 
 1 file changed, 4 insertions(+)

diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index 0c0fd7114799..b3e96a822b4d 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -593,6 +593,8 @@ static void virtio_balloon_free_page_start(VirtIOBalloon *s)
 return;
 }
 
+qemu_mutex_lock(&s->free_page_lock);
+
 if (s->free_page_report_cmd_id == UINT_MAX) {
 s->free_page_report_cmd_id =
VIRTIO_BALLOON_FREE_PAGE_REPORT_CMD_ID_MIN;
@@ -601,6 +603,8 @@ static void virtio_balloon_free_page_start(VirtIOBalloon *s)
 }
 
 s->free_page_report_status = FREE_PAGE_REPORT_S_REQUESTED;
+qemu_mutex_unlock(&s->free_page_lock);
+
 virtio_notify_config(vdev);
 }
 

[PATCH v2 0/3] virtio-balloon: Free page hinting clean-ups

[Alexander Duyck]

This series contains a couple minor cleanups related to free page hinting.

The first patch addresses what I believe is a possible issue in which the
driver could potentially force the device out of the stop state and back
into the running state if it were to replay an earlier virtqueue element
containing the same ID it had submitted earlier.

The second patch takes care of a possible race due to a mutex lock not being
used when starting the hinting from the device-side.

The final patch takes care of renaming various hinting objects that were
using "reporting" in the name to try and clarify which objects are for free
page reporting and which are for free page hinting.

Changes from v1:
Split first patch into two patches as each addresses a separate issue.
Added acked-by for first patch.

---

Alexander Duyck (3):
  virtio-balloon: Prevent guest from starting a report when we didn't 
request one
  virtio-balloon: Add locking to prevent possible race when starting hinting
  virtio-balloon: Replace free page hinting references to 'report' with 
'hint'


 hw/virtio/virtio-balloon.c |   77 +++-
 include/hw/virtio/virtio-balloon.h |   20 +
 2 files changed, 51 insertions(+), 46 deletions(-)

--

[PATCH v2 1/3] virtio-balloon: Prevent guest from starting a report when we didn't request one

[Alexander Duyck]

From: Alexander Duyck 

Based on code review it appears possible for the driver to force the device
out of a stopped state when hinting by repeating the last ID it was
provided.

Prevent this by only allowing a transition to the start state when we are
in the requested state. This way the driver is only allowed to send one
descriptor that will transition the device into the start state. All others
will leave it in the stop state once it has finished.

Fixes: c13c4153f76d ("virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT")
Acked-by: David Hildenbrand 
Signed-off-by: Alexander Duyck 
---
 hw/virtio/virtio-balloon.c |3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c
index 10507b2a430a..0c0fd7114799 100644
--- a/hw/virtio/virtio-balloon.c
+++ b/hw/virtio/virtio-balloon.c
@@ -527,7 +527,8 @@ static bool get_free_page_hints(VirtIOBalloon *dev)
 ret = false;
 goto out;
 }
-if (id == dev->free_page_report_cmd_id) {
+if (dev->free_page_report_status == FREE_PAGE_REPORT_S_REQUESTED &&
+id == dev->free_page_report_cmd_id) {
 dev->free_page_report_status = FREE_PAGE_REPORT_S_START;
 } else {
 /*

Re: [PATCH] intel_iommu: Use correct shift for 256 bits qi descriptor

[Peter Xu]

On Sat, Jul 04, 2020 at 01:07:15AM -0700, Liu Yi L wrote:
> In chapter 10.4.23 of VT-d spec 3.0, Descriptor Width bit was introduced
> in VTD_IQA_REG. Sfotware could set this bit to tell VT-d the QI descriptor
> from software would be 256 bits. Accordingly, the VTD_IQH_QH_SHIFT should
> be 5 when descriptor size is 256 bits.
> 
> This patch adds the DW bit check when deciding the shift used to update
> VTD_IQH_REG.
> 
> Signed-off-by: Liu Yi L 

Reviewed-by: Peter Xu 

-- 
Peter Xu

Re: [PULL v2 12/64] target/riscv: add vector amo operations

[Richard Henderson]

On 7/5/20 11:20 AM, Peter Maydell wrote:
> On Thu, 2 Jul 2020 at 17:33, Alistair Francis  
> wrote:
>>
>> From: LIU Zhiwei 
>>
>> Vector AMOs operate as if aq and rl bits were zero on each element
>> with regard to ordering relative to other instructions in the same hart.
>> Vector AMOs provide no ordering guarantee between element operations
>> in the same vector AMO instruction
> 
> Hi; Coverity thinks (probably wrongly) that there might be an array
> overflow here:
> 
>> +static bool amo_op(DisasContext *s, arg_rwdvm *a, uint8_t seq)
>> +{
>> +uint32_t data = 0;
>> +gen_helper_amo *fn;
>> +static gen_helper_amo *const fnsw[9] = {
> 
> This is a 9-element array...
> 
>> +/* no atomic operation */
>> +gen_helper_vamoswapw_v_w,
>> +gen_helper_vamoaddw_v_w,
>> +gen_helper_vamoxorw_v_w,
>> +gen_helper_vamoandw_v_w,
>> +gen_helper_vamoorw_v_w,
>> +gen_helper_vamominw_v_w,
>> +gen_helper_vamomaxw_v_w,
>> +gen_helper_vamominuw_v_w,
>> +gen_helper_vamomaxuw_v_w
>> +};
> 
>> +if (tb_cflags(s->base.tb) & CF_PARALLEL) {
>> +gen_helper_exit_atomic(cpu_env);
>> +s->base.is_jmp = DISAS_NORETURN;
>> +return true;
>> +} else {
>> +if (s->sew == 3) {
>> +#ifdef TARGET_RISCV64
>> +fn = fnsd[seq];
>> +#else
>> +/* Check done in amo_check(). */
>> +g_assert_not_reached();
>> +#endif
>> +} else {
>> +fn = fnsw[seq];
> 
> ...which we here index via 'seq'...
> 
> 
>> +#ifdef TARGET_RISCV64
>> +GEN_VEXT_TRANS(vamoswapd_v, 9, rwdvm, amo_op, amo_check)
>> +GEN_VEXT_TRANS(vamoaddd_v, 10, rwdvm, amo_op, amo_check)
>> +GEN_VEXT_TRANS(vamoxord_v, 11, rwdvm, amo_op, amo_check)
>> +GEN_VEXT_TRANS(vamoandd_v, 12, rwdvm, amo_op, amo_check)
>> +GEN_VEXT_TRANS(vamoord_v, 13, rwdvm, amo_op, amo_check)
>> +GEN_VEXT_TRANS(vamomind_v, 14, rwdvm, amo_op, amo_check)
>> +GEN_VEXT_TRANS(vamomaxd_v, 15, rwdvm, amo_op, amo_check)
>> +GEN_VEXT_TRANS(vamominud_v, 16, rwdvm, amo_op, amo_check)
>> +GEN_VEXT_TRANS(vamomaxud_v, 17, rwdvm, amo_op, amo_check)
>> +#endif
> 
> ...which in the calls that these macros expand out to can
> be 9 or greater.

FWIW, I think it would be better to have the gen_helper_amo *fn symbol here in
the macro than a magic "seq" number.


r~

[PATCH v6 09/10] block: Add support to warn on backing file change without format

[Eric Blake]

For now, this is a mechanical addition; all callers pass false. But
the next patch will use it to improve 'qemu-img rebase -u' when
selecting a backing file with no format.

Signed-off-by: Eric Blake 
Reviewed-by: Peter Krempa 
Reviewed-by: Ján Tomko 
---
 include/block/block.h |  4 ++--
 block.c   | 13 ++---
 block/qcow2.c |  2 +-
 block/stream.c|  2 +-
 blockdev.c|  3 ++-
 qemu-img.c|  4 ++--
 6 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/include/block/block.h b/include/block/block.h
index e8fc8149967f..b57a3806a592 100644
--- a/include/block/block.h
+++ b/include/block/block.h
@@ -410,8 +410,8 @@ void bdrv_get_geometry(BlockDriverState *bs, uint64_t 
*nb_sectors_ptr);
 void bdrv_refresh_limits(BlockDriverState *bs, Error **errp);
 int bdrv_commit(BlockDriverState *bs);
 int bdrv_make_empty(BdrvChild *c, Error **errp);
-int bdrv_change_backing_file(BlockDriverState *bs,
-const char *backing_file, const char *backing_fmt);
+int bdrv_change_backing_file(BlockDriverState *bs, const char *backing_file,
+ const char *backing_fmt, bool warn);
 void bdrv_register(BlockDriver *bdrv);
 int bdrv_drop_intermediate(BlockDriverState *top, BlockDriverState *base,
const char *backing_file_str);
diff --git a/block.c b/block.c
index 983b9bd29af5..5cfd10f6b45e 100644
--- a/block.c
+++ b/block.c
@@ -1206,7 +1206,8 @@ static int bdrv_backing_update_filename(BdrvChild *c, 
BlockDriverState *base,
 }

 ret = bdrv_change_backing_file(parent, filename,
-   base->drv ? base->drv->format_name : "");
+   base->drv ? base->drv->format_name : "",
+   false);
 if (ret < 0) {
 error_setg_errno(errp, -ret, "Could not update backing file link");
 }
@@ -4684,8 +4685,8 @@ int bdrv_check(BlockDriverState *bs,
  *image file header
  * -ENOTSUP - format driver doesn't support changing the backing file
  */
-int bdrv_change_backing_file(BlockDriverState *bs,
-const char *backing_file, const char *backing_fmt)
+int bdrv_change_backing_file(BlockDriverState *bs, const char *backing_file,
+ const char *backing_fmt, bool warn)
 {
 BlockDriver *drv = bs->drv;
 int ret;
@@ -4699,6 +4700,12 @@ int bdrv_change_backing_file(BlockDriverState *bs,
 return -EINVAL;
 }

+if (warn && backing_file && !backing_fmt) {
+warn_report("Deprecated use of backing file without explicit "
+"backing format, use of this image requires "
+"potentially unsafe format probing");
+}
+
 if (drv->bdrv_change_backing_file != NULL) {
 ret = drv->bdrv_change_backing_file(bs, backing_file, backing_fmt);
 } else {
diff --git a/block/qcow2.c b/block/qcow2.c
index 99aedb8eede6..36793e3bb0c7 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -3630,7 +3630,7 @@ qcow2_co_create(BlockdevCreateOptions *create_options, 
Error **errp)
 }

 ret = bdrv_change_backing_file(blk_bs(blk), qcow2_opts->backing_file,
-   backing_format);
+   backing_format, false);
 if (ret < 0) {
 error_setg_errno(errp, -ret, "Could not assign backing file '%s' "
  "with format '%s'", qcow2_opts->backing_file,
diff --git a/block/stream.c b/block/stream.c
index aa2e7af98e37..310ccbaa4cfd 100644
--- a/block/stream.c
+++ b/block/stream.c
@@ -78,7 +78,7 @@ static int stream_prepare(Job *job)
 }
 }
 bdrv_set_backing_hd(bs, base, &local_err);
-ret = bdrv_change_backing_file(bs, base_id, base_fmt);
+ret = bdrv_change_backing_file(bs, base_id, base_fmt, false);
 if (local_err) {
 error_report_err(local_err);
 return -EPERM;
diff --git a/blockdev.c b/blockdev.c
index 31d5eaf6bf08..db0fbcd21499 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -3429,7 +3429,8 @@ void qmp_change_backing_file(const char *device,
 }

 ret = bdrv_change_backing_file(image_bs, backing_file,
-   image_bs->drv ? image_bs->drv->format_name : 
"");
+   image_bs->drv ? image_bs->drv->format_name 
: "",
+   false);

 if (ret < 0) {
 error_setg_errno(errp, -ret, "Could not change backing file to '%s'",
diff --git a/qemu-img.c b/qemu-img.c
index 9efe1f13482b..71a919d73676 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -3807,9 +3807,9 @@ static int img_rebase(int argc, char **argv)
  * doesn't change when we switch the backing file.
  */
 if (out_baseimg && *out_baseimg) {
-ret = bdrv_change_backing_file(bs, out_baseimg, out_basefmt);
+ret = bdrv_change_backing_file(bs, out_baseimg, out_basefmt, false);
 } else {
-ret =

[PATCH v6 10/10] qemu-img: Deprecate use of -b without -F

[Eric Blake]

Creating an image that requires format probing of the backing image is
potentially unsafe (we've had several CVEs over the years based on
probes leaking information to the guest on a subsequent boot, although
these days tools like libvirt are aware of the issue enough to prevent
the worst effects).  For example, if our probing algorithm ever
changes, or if other tools like libvirt determine a different probe
result than we do, then subsequent use of that backing file under a
different format will present corrupted data to the guest.
Fortunately, the worst effects occur only when the backing image is
originally raw, and we at least prevent commit into a probed raw
backing file that would change its probed type.

Still, it is worth starting a deprecation clock so that future
qemu-img can refuse to create backing chains that would rely on
probing, to encourage clients to avoid unsafe practices.  Most
warnings are intentionally emitted from bdrv_img_create() in the block
layer, but qemu-img convert uses bdrv_create() which cannot emit its
own warning without causing spurious warnings on other code paths.  In
the end, all command-line image creation or backing file rewriting now
performs a check.

Furthermore, if we probe a backing file as non-raw, then it is safe to
explicitly record that result (rather than relying on future probes);
only where we probe a raw image do we care about further warnings to
the user when using such an image (for example, commits into a
probed-raw backing file are prevented), to help them improve their
tooling.  But whether or not we make the probe results explicit, we
still warn the user to remind them to upgrade their workflow to supply
-F always.

iotest 114 specifically wants to create an unsafe image for later
amendment rather than defaulting to our new default of recording a
probed format, so it needs an update.  While touching it, expand it to
cover all of the various warnings enabled by this patch.  iotest 293
also shows a change to qcow messages.

Signed-off-by: Eric Blake 
---
 docs/system/deprecated.rst | 20 
 block.c| 27 ++-
 qemu-img.c |  9 -
 tests/qemu-iotests/114 | 12 
 tests/qemu-iotests/114.out |  9 +
 tests/qemu-iotests/293.out |  4 +++-
 6 files changed, 78 insertions(+), 3 deletions(-)

diff --git a/docs/system/deprecated.rst b/docs/system/deprecated.rst
index b312ad27aa04..ca994e3ef53a 100644
--- a/docs/system/deprecated.rst
+++ b/docs/system/deprecated.rst
@@ -430,6 +430,26 @@ image).  Rather, any changes to the backing chain should 
be performed
 with ``qemu-img rebase -u`` either before or after the remaining
 changes being performed by amend, as appropriate.

+qemu-img backing file without format (since 5.1)
+
+
+The use of ``qemu-img create``, ``qemu-img rebase``, or ``qemu-img
+convert`` to create or modify an image that depends on a backing file
+now recommends that an explicit backing format be provided.  This is
+for safety: if QEMU probes a different format than what you thought,
+the data presented to the guest will be corrupt; similarly, presenting
+a raw image to a guest allows a potential security exploit if a future
+probe sees a non-raw image based on guest writes.
+
+To avoid the warning message, or even future refusal to create an
+unsafe image, you must pass ``-o backing_fmt=`` (or the shorthand
+``-F`` during create) to specify the intended backing format.  You may
+use ``qemu-img rebase -u`` to retroactively add a backing format to an
+existing image.  However, be aware that there are already potential
+security risks to blindly using ``qemu-img info`` to probe the format
+of an untrusted backing image, when deciding what format to add into
+an existing image.
+
 Backwards compatibility
 ---

diff --git a/block.c b/block.c
index 5cfd10f6b45e..aad3b3635e6b 100644
--- a/block.c
+++ b/block.c
@@ -6161,6 +6161,26 @@ void bdrv_img_create(const char *filename, const char 
*fmt,
 error_append_hint(&local_err, "Could not open backing image.\n");
 goto out;
 } else {
+if (!backing_fmt) {
+warn_report("Deprecated use of backing file without explicit "
+"backing format (detected format of %s)",
+bs->drv->format_name);
+if (bs->drv != &bdrv_raw) {
+/*
+ * A probe of raw deserves the most attention:
+ * leaving the backing format out of the image
+ * will ensure bs->probed is set (ensuring we
+ * don't accidentally commit into the backing
+ * file), and allow more spots to warn the users
+ * to fix their toolchain when opening this image
+ * later.  For other images, we can safely record
+ 

[PATCH v6 06/10] block: Error if backing file fails during creation without -u

[Eric Blake]

Back in commit 6e6e55f5 (Jul 2017, v2.10), we tweaked the code to warn
if the backing file could not be opened but the user gave a size,
unless the user also passes the -u option to bypass the open of the
backing file.  As one common reason for failure to open the backing
file is when there is mismatch in the requested backing format in
relation to what the backing file actually contains, we actually want
to open the backing file and ensure that it has the right format in as
many cases as possible.  iotest 293 for qcow demonstrates how
detecting explicit format mismatch is useful to prevent the creation
of an image that would probe differently than the user requested.  Now
is the time to finally turn the warning an error, as promised.

Note that the original warning was added prior to our documentation of
an official deprecation policy (eb22aeca, also Jul 2017), and because
the warning didn't mention the word "deprecated", we never actually
remembered to document it as such.  But the warning has been around
long enough that I don't see prolonging it another two releases.

Signed-off-by: Eric Blake 
---
 docs/system/deprecated.rst | 12 
 block.c| 12 ++--
 tests/qemu-iotests/111.out |  2 +-
 tests/qemu-iotests/293.out | 13 +
 4 files changed, 20 insertions(+), 19 deletions(-)

diff --git a/docs/system/deprecated.rst b/docs/system/deprecated.rst
index 73b9d9f37848..6fbec34b8b37 100644
--- a/docs/system/deprecated.rst
+++ b/docs/system/deprecated.rst
@@ -546,6 +546,18 @@ can be rewritten as::
 All options specified in ``-o`` are image creation options, so
 they are now rejected when used with ``-n`` to skip image creation.

+
+``qemu-img create -b bad file $size`` (removed in 5.1)
+''
+
+When creating an image with a backing file that could not be opened,
+``qemu-img create`` used to issue a warning about the failure but
+proceed with the image creation if an explicit size was provided.
+However, as the ``-u`` option exists for this purpose, it is safer to
+enforce that any failure to open the backing image (including if the
+backing file is missing or an incorrect format was specified) is an
+error when ``-u`` is not used.
+
 Command line options
 

diff --git a/block.c b/block.c
index a568196ba250..983b9bd29af5 100644
--- a/block.c
+++ b/block.c
@@ -6150,16 +6150,8 @@ void bdrv_img_create(const char *filename, const char 
*fmt,
 bs = bdrv_open(full_backing, NULL, backing_options, back_flags,
&local_err);
 g_free(full_backing);
-if (!bs && size != -1) {
-/* Couldn't open BS, but we have a size, so it's nonfatal */
-warn_reportf_err(local_err,
-"Could not verify backing image. "
-"This may become an error in future versions.\n");
-local_err = NULL;
-} else if (!bs) {
-/* Couldn't open bs, do not have size */
-error_append_hint(&local_err,
-  "Could not open backing image to determine 
size.\n");
+if (!bs) {
+error_append_hint(&local_err, "Could not open backing image.\n");
 goto out;
 } else {
 if (size == -1) {
diff --git a/tests/qemu-iotests/111.out b/tests/qemu-iotests/111.out
index 5279c462fc21..ba034e5c5886 100644
--- a/tests/qemu-iotests/111.out
+++ b/tests/qemu-iotests/111.out
@@ -1,4 +1,4 @@
 QA output created by 111
 qemu-img: TEST_DIR/t.IMGFMT: Could not open 'TEST_DIR/t.IMGFMT.inexistent': No 
such file or directory
-Could not open backing image to determine size.
+Could not open backing image.
 *** done
diff --git a/tests/qemu-iotests/293.out b/tests/qemu-iotests/293.out
index d07918b6d74b..3c612903f862 100644
--- a/tests/qemu-iotests/293.out
+++ b/tests/qemu-iotests/293.out
@@ -17,18 +17,15 @@ backing file: TEST_DIR/t.IMGFMT.base

 == mismatched command line detection ==
 qemu-img: TEST_DIR/t.IMGFMT: invalid VMDK image descriptor
-Could not open backing image to determine size.
-qemu-img: warning: Could not verify backing image. This may become an error in 
future versions.
-invalid VMDK image descriptor
-Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=33554432 
backing_file=TEST_DIR/t.IMGFMT.base backing_fmt=vmdk
+Could not open backing image.
+qemu-img: TEST_DIR/t.IMGFMT: invalid VMDK image descriptor
+Could not open backing image.

 qemu-img: TEST_DIR/t.IMGFMT: Image creation needs a size parameter
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=33554432 
backing_file=TEST_DIR/t.IMGFMT.base backing_fmt=vmdk

-qemu-img: warning: Could not verify backing image. This may become an error in 
future versions.
-Unknown driver 'garbage'
-Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=33554432 
backing_file=TEST_DIR/t.IMGFMT.base backing_fmt=garbage
-qemu-img: TEST_DIR/t.IMGFMT: unrecognized backing format 'garbage'
+qemu-img: TEST

[PATCH v6 05/10] qcow: Tolerate backing_fmt=

[Eric Blake]

qcow has no space in the metadata to store a backing format, and there
are existing qcow images backed both by raw or by other formats
(usually qcow) images, reliant on probing to tell the difference.  On
the bright side, because we probe every time, raw files are marked as
probed and we thus forbid a commit action into the backing file where
guest-controlled contents could change the result of the probe next
time around (the iotest added here proves that).

Still, allowing the user to specify the backing format during
creation, even if we can't record it, is a good thing.  This patch
blindly allows any value that resolves to a known driver, even if the
user's request is a mismatch from what probing finds; then the next
patch will further enhance things to verify that the user's request
matches what we actually probe.  With this and the next patch in
place, we will finally be ready to deprecate the creation of images
where a backing format was not explicitly specified by the user.

Note that this is only for QemuOpts usage; there is no change to the
QAPI to allow a format through -blockdev.

Add a new iotest 293 just for qcow, to demonstrate the latest
behavior, and to make it easier to show the improvements made in the
next patch.

Signed-off-by: Eric Blake 
---
 block/qcow.c   | 20 -
 tests/qemu-iotests/293 | 88 ++
 tests/qemu-iotests/293.out | 60 ++
 tests/qemu-iotests/group   |  1 +
 4 files changed, 168 insertions(+), 1 deletion(-)
 create mode 100755 tests/qemu-iotests/293
 create mode 100644 tests/qemu-iotests/293.out

diff --git a/block/qcow.c b/block/qcow.c
index ee5d35fe20ed..e91aa2d8c4d0 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -940,11 +940,12 @@ static int coroutine_fn qcow_co_create_opts(BlockDriver 
*drv,
 {
 BlockdevCreateOptions *create_options = NULL;
 BlockDriverState *bs = NULL;
-QDict *qdict;
+QDict *qdict = NULL;
 Visitor *v;
 const char *val;
 Error *local_err = NULL;
 int ret;
+char *backing_fmt;

 static const QDictRenames opt_renames[] = {
 { BLOCK_OPT_BACKING_FILE,   "backing-file" },
@@ -952,6 +953,17 @@ static int coroutine_fn qcow_co_create_opts(BlockDriver 
*drv,
 { NULL, NULL },
 };

+/*
+ * We can't actually store a backing format, but can check that
+ * the user's request made sense.
+ */
+backing_fmt = qemu_opt_get_del(opts, BLOCK_OPT_BACKING_FMT);
+if (backing_fmt && !bdrv_find_format(backing_fmt)) {
+error_setg(errp, "unrecognized backing format '%s'", backing_fmt);
+ret = -EINVAL;
+goto fail;
+}
+
 /* Parse options and convert legacy syntax */
 qdict = qemu_opts_to_qdict_filtered(opts, NULL, &qcow_create_opts, true);

@@ -1018,6 +1030,7 @@ static int coroutine_fn qcow_co_create_opts(BlockDriver 
*drv,

 ret = 0;
 fail:
+g_free(backing_fmt);
 qobject_unref(qdict);
 bdrv_unref(bs);
 qapi_free_BlockdevCreateOptions(create_options);
@@ -1152,6 +1165,11 @@ static QemuOptsList qcow_create_opts = {
 .type = QEMU_OPT_STRING,
 .help = "File name of a base image"
 },
+{
+.name = BLOCK_OPT_BACKING_FMT,
+.type = QEMU_OPT_STRING,
+.help = "Format of the backing image",
+},
 {
 .name = BLOCK_OPT_ENCRYPT,
 .type = QEMU_OPT_BOOL,
diff --git a/tests/qemu-iotests/293 b/tests/qemu-iotests/293
new file mode 100755
index ..3823e956175a
--- /dev/null
+++ b/tests/qemu-iotests/293
@@ -0,0 +1,88 @@
+#!/usr/bin/env bash
+#
+# Test qcow backing file warnings
+#
+# Copyright (C) 2020 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see .
+#
+
+seq=`basename $0`
+echo "QA output created by $seq"
+
+status=1 # failure is the default!
+
+_cleanup()
+{
+_cleanup_test_img
+_rm_test_img "$TEST_IMG.qcow2"
+}
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+# get standard environment, filters and checks
+. ./common.rc
+. ./common.filter
+
+_supported_fmt qcow
+_supported_proto file
+_supported_os Linux
+
+size=32M
+
+echo
+echo "== qcow backed by qcow =="
+
+TEST_IMG="$TEST_IMG.base" _make_test_img $size
+_make_test_img -b "$TEST_IMG.base" $size
+_img_info
+_make_test_img -b "$TEST_IMG.base" -F $IMGFMT $size
+_img_info
+
+echo
+echo "== mismatched 

[PATCH v6 07/10] qcow2: Deprecate use of qemu-img amend to change backing file

[Eric Blake]

The use of 'qemu-img amend' to change qcow2 backing files is not
tested very well.  In particular, our implementation has a bug where
if a new backing file is provided without a format, then the prior
format is blindly reused, even if this results in data corruption, but
this is not caught by iotests.

There are also situations where amending other options needs access to
the original backing file (for example, on a downgrade to a v2 image,
knowing whether a v3 zero cluster must be allocated or may be left
unallocated depends on knowing whether the backing file already reads
as zero), but the command line does not have a nice way to tell us
both the backing file to use for opening the image as well as the
backing file to install after the operation is complete.

Even if we do allow changing the backing file, it is redundant with
the existing ability to change backing files via 'qemu-img rebase -u'.
It is time to deprecate this support (leaving the existing behavior
intact, even if it is buggy), and at a point in the future, require
the use of only 'qemu-img rebase' for adjusting backing chain
relations, saving 'qemu-img amend' for changes unrelated to the
backing chain.

Signed-off-by: Eric Blake 
---
 docs/system/deprecated.rst | 12 
 docs/tools/qemu-img.rst|  4 
 block/qcow2.c  |  5 +
 tests/qemu-iotests/061.out |  1 +
 tests/qemu-iotests/082.out |  2 ++
 5 files changed, 24 insertions(+)

diff --git a/docs/system/deprecated.rst b/docs/system/deprecated.rst
index 6fbec34b8b37..b312ad27aa04 100644
--- a/docs/system/deprecated.rst
+++ b/docs/system/deprecated.rst
@@ -418,6 +418,18 @@ kernel in 2018, and has also been dropped from glibc.
 Related binaries
 

+qemu-img amend to adjust backing file (since 5.1)
+'
+
+The use of ``qemu-img amend`` to modify the name or format of a qcow2
+backing image is deprecated; this functionality was never fully
+documented or tested, and interferes with other amend operations that
+need access to the original backing image (such as deciding whether a
+v3 zero cluster may be left unallocated when converting to a v2
+image).  Rather, any changes to the backing chain should be performed
+with ``qemu-img rebase -u`` either before or after the remaining
+changes being performed by amend, as appropriate.
+
 Backwards compatibility
 ---

diff --git a/docs/tools/qemu-img.rst b/docs/tools/qemu-img.rst
index 7f0737488ade..fa53e30697e7 100644
--- a/docs/tools/qemu-img.rst
+++ b/docs/tools/qemu-img.rst
@@ -258,6 +258,10 @@ Command description:
   Amends the image format specific *OPTIONS* for the image file
   *FILENAME*. Not all file formats support this operation.

+  The set of options that can be amended are dependent on the image
+  format, but note that amending the backing chain relationship should
+  instead be performed with ``qemu-img rebase``.
+
 .. option:: bench [-c COUNT] [-d DEPTH] [-f FMT] 
[--flush-interval=FLUSH_INTERVAL] [-i AIO] [-n] [--no-drain] [-o OFFSET] 
[--pattern=PATTERN] [-q] [-s BUFFER_SIZE] [-S STEP_SIZE] [-t CACHE] [-w] [-U] 
FILENAME

   Run a simple sequential I/O benchmark on the specified image. If ``-w`` is
diff --git a/block/qcow2.c b/block/qcow2.c
index 0cd2e6757e8c..99aedb8eede6 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -5523,6 +5523,11 @@ static int qcow2_amend_options(BlockDriverState *bs, 
QemuOpts *opts,
 }

 if (backing_file || backing_format) {
+if (g_strcmp0(backing_file, s->image_backing_file) ||
+g_strcmp0(backing_format, s->image_backing_format)) {
+warn_report("Deprecated use of amend to alter the backing file; "
+"use qemu-img rebase instead");
+}
 ret = qcow2_change_backing_file(bs,
 backing_file ?: s->image_backing_file,
 backing_format ?: s->image_backing_format);
diff --git a/tests/qemu-iotests/061.out b/tests/qemu-iotests/061.out
index 2f03cf045cce..c549b139da47 100644
--- a/tests/qemu-iotests/061.out
+++ b/tests/qemu-iotests/061.out
@@ -370,6 +370,7 @@ wrote 131072/131072 bytes at offset 0
 128 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 read 131072/131072 bytes at offset 0
 128 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
+qemu-img: warning: Deprecated use of amend to alter the backing file; use 
qemu-img rebase instead
 read 131072/131072 bytes at offset 0
 128 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
 No errors were found on the image.
diff --git a/tests/qemu-iotests/082.out b/tests/qemu-iotests/082.out
index 529a1214e1ea..7f2b207d247b 100644
--- a/tests/qemu-iotests/082.out
+++ b/tests/qemu-iotests/082.out
@@ -839,10 +839,12 @@ Creation options for 'qcow2':
 Note that not all of these options may be amendable.

 Testing: amend -f qcow2 -o backing_file=TEST_DIR/t.qcow2,,help TEST_DIR/t.qcow2
+qemu-img: warning: Deprecated use of amend to alter the back

[PATCH v6 01/10] qemu-img: Flush stdout before before potential stderr messages

[Eric Blake]

During 'qemu-img create ... 2>&1', if --quiet is not in force, we can
end up with buffered I/O in stdout that was produced before failure,
but which appears in output after failure.  This is confusing; the fix
is to flush stdout prior to attempting anything that might produce an
error message.  Several iotests demonstrate the resulting ordering
change now that the merged outputs now reflect chronology.  (An even
better fix would be to avoid printf from within block.c altogether,
but that's much more invasive...)

Signed-off-by: Eric Blake 
---
 block.c| 1 +
 tests/qemu-iotests/049.out | 8 
 tests/qemu-iotests/054.out | 2 +-
 tests/qemu-iotests/079.out | 2 +-
 tests/qemu-iotests/112.out | 4 ++--
 tests/qemu-iotests/259.out | 2 +-
 6 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/block.c b/block.c
index 6dbcb7e083ea..a568196ba250 100644
--- a/block.c
+++ b/block.c
@@ -6186,6 +6186,7 @@ void bdrv_img_create(const char *filename, const char 
*fmt,
 printf("Formatting '%s', fmt=%s ", filename, fmt);
 qemu_opts_print(opts, " ");
 puts("");
+fflush(stdout);
 }

 ret = bdrv_create(drv, filename, opts, &local_err);
diff --git a/tests/qemu-iotests/049.out b/tests/qemu-iotests/049.out
index c54ae21b868a..22f395246b37 100644
--- a/tests/qemu-iotests/049.out
+++ b/tests/qemu-iotests/049.out
@@ -167,12 +167,12 @@ qemu-img create -f qcow2 -o compat=1.1 TEST_DIR/t.qcow2 
64M
 Formatting 'TEST_DIR/t.qcow2', fmt=qcow2 size=67108864 compat=1.1 
cluster_size=65536 lazy_refcounts=off refcount_bits=16 compression_type=zlib

 qemu-img create -f qcow2 -o compat=0.42 TEST_DIR/t.qcow2 64M
-qemu-img: TEST_DIR/t.qcow2: Invalid parameter '0.42'
 Formatting 'TEST_DIR/t.qcow2', fmt=qcow2 size=67108864 compat=0.42 
cluster_size=65536 lazy_refcounts=off refcount_bits=16 compression_type=zlib
+qemu-img: TEST_DIR/t.qcow2: Invalid parameter '0.42'

 qemu-img create -f qcow2 -o compat=foobar TEST_DIR/t.qcow2 64M
-qemu-img: TEST_DIR/t.qcow2: Invalid parameter 'foobar'
 Formatting 'TEST_DIR/t.qcow2', fmt=qcow2 size=67108864 compat=foobar 
cluster_size=65536 lazy_refcounts=off refcount_bits=16 compression_type=zlib
+qemu-img: TEST_DIR/t.qcow2: Invalid parameter 'foobar'

 == Check preallocation option ==

@@ -183,8 +183,8 @@ qemu-img create -f qcow2 -o preallocation=metadata 
TEST_DIR/t.qcow2 64M
 Formatting 'TEST_DIR/t.qcow2', fmt=qcow2 size=67108864 cluster_size=65536 
preallocation=metadata lazy_refcounts=off refcount_bits=16 compression_type=zlib

 qemu-img create -f qcow2 -o preallocation=1234 TEST_DIR/t.qcow2 64M
-qemu-img: TEST_DIR/t.qcow2: Invalid parameter '1234'
 Formatting 'TEST_DIR/t.qcow2', fmt=qcow2 size=67108864 cluster_size=65536 
preallocation=1234 lazy_refcounts=off refcount_bits=16 compression_type=zlib
+qemu-img: TEST_DIR/t.qcow2: Invalid parameter '1234'

 == Check encryption option ==

@@ -206,7 +206,7 @@ qemu-img create -f qcow2 -o compat=0.10,lazy_refcounts=off 
TEST_DIR/t.qcow2 64M
 Formatting 'TEST_DIR/t.qcow2', fmt=qcow2 size=67108864 compat=0.10 
cluster_size=65536 lazy_refcounts=off refcount_bits=16 compression_type=zlib

 qemu-img create -f qcow2 -o compat=0.10,lazy_refcounts=on TEST_DIR/t.qcow2 64M
-qemu-img: TEST_DIR/t.qcow2: Lazy refcounts only supported with compatibility 
level 1.1 and above (use version=v3 or greater)
 Formatting 'TEST_DIR/t.qcow2', fmt=qcow2 size=67108864 compat=0.10 
cluster_size=65536 lazy_refcounts=on refcount_bits=16 compression_type=zlib
+qemu-img: TEST_DIR/t.qcow2: Lazy refcounts only supported with compatibility 
level 1.1 and above (use version=v3 or greater)

 *** done
diff --git a/tests/qemu-iotests/054.out b/tests/qemu-iotests/054.out
index e6ec430edd47..71f18bb98760 100644
--- a/tests/qemu-iotests/054.out
+++ b/tests/qemu-iotests/054.out
@@ -1,8 +1,8 @@
 QA output created by 054

 creating too large image (1 EB)
-qemu-img: TEST_DIR/t.IMGFMT: The image size is too large for file format 
'IMGFMT' (try using a larger cluster size)
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1152921504606846976
+qemu-img: TEST_DIR/t.IMGFMT: The image size is too large for file format 
'IMGFMT' (try using a larger cluster size)

 creating too large image (1 EB) using qcow2.py
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=4294967296
diff --git a/tests/qemu-iotests/079.out b/tests/qemu-iotests/079.out
index aab922fb369b..f65a9ca84fea 100644
--- a/tests/qemu-iotests/079.out
+++ b/tests/qemu-iotests/079.out
@@ -9,6 +9,6 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=4294967296 
preallocation=metadat
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=4294967296 
preallocation=metadata
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=4294967296 
preallocation=metadata
 Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=4294967296 
preallocation=metadata
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=4294967296 
preallocation=metadata
 qemu-img: TEST_DIR/t.IMGFMT: Cluster size must be a power of two between 512 
and 20

[PATCH v6 04/10] vmdk: Add trivial backing_fmt support

[Eric Blake]

vmdk already requires that if backing_file is present, that it be
another vmdk image (see vmdk_co_do_create).  Meanwhile, we want to
move towards always being explicit about the backing format for other
drivers where it matters.  So for convenience, make qemu-img create -F
vmdk work, while rejecting all other explicit formats (note that this
is only for QemuOpts usage; there is no change to the QAPI to allow a
format through -blockdev).

Signed-off-by: Eric Blake 
---
 block/vmdk.c | 14 ++
 1 file changed, 14 insertions(+)

diff --git a/block/vmdk.c b/block/vmdk.c
index 62da4651263b..6c58e5ec2e43 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -2638,6 +2638,14 @@ static int coroutine_fn vmdk_co_create_opts(BlockDriver 
*drv,
 bool zeroed_grain;
 bool compat6;
 VMDKCreateOptsData data;
+char *backing_fmt = NULL;
+
+backing_fmt = qemu_opt_get_del(opts, BLOCK_OPT_BACKING_FMT);
+if (backing_fmt && strcmp(backing_fmt, "vmdk") != 0) {
+error_setg(errp, "backing_file must be a vmdk image");
+ret = -EINVAL;
+goto exit;
+}

 if (filename_decompose(filename, path, prefix, postfix, PATH_MAX, errp)) {
 ret = -EINVAL;
@@ -2696,6 +2704,7 @@ static int coroutine_fn vmdk_co_create_opts(BlockDriver 
*drv,
 vmdk_co_create_opts_cb, &data, errp);

 exit:
+g_free(backing_fmt);
 g_free(adapter_type);
 g_free(backing_file);
 g_free(hw_version);
@@ -3031,6 +3040,11 @@ static QemuOptsList vmdk_create_opts = {
 .type = QEMU_OPT_STRING,
 .help = "File name of a base image"
 },
+{
+.name = BLOCK_OPT_BACKING_FMT,
+.type = QEMU_OPT_STRING,
+.help = "Must be 'vmdk' if present",
+},
 {
 .name = BLOCK_OPT_COMPAT6,
 .type = QEMU_OPT_BOOL,
-- 
2.27.0

[PATCH v6 03/10] sheepdog: Add trivial backing_fmt support

[Eric Blake]

Sheepdog already requires that if backing_file is present, that it be
another sheepdog image (see sd_co_create).  Meanwhile, we want to move
towards always being explicit about the backing format for other
drivers where it matters.  So for convenience, make qemu-img create -F
sheepdog work, while rejecting all other explicit formats (note that
this is only for QemuOpts usage; there is no change to the QAPI to
allow a format through -blockdev).

Signed-off-by: Eric Blake 
---
 block/sheepdog.c | 18 --
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/block/sheepdog.c b/block/sheepdog.c
index 27a30d17f4c9..548ce54cbc7e 100644
--- a/block/sheepdog.c
+++ b/block/sheepdog.c
@@ -2157,13 +2157,21 @@ static int coroutine_fn sd_co_create_opts(BlockDriver 
*drv,
   Error **errp)
 {
 BlockdevCreateOptions *create_options = NULL;
-QDict *qdict, *location_qdict;
+QDict *qdict = NULL, *location_qdict;
 Visitor *v;
-char *redundancy;
+char *redundancy = NULL;
 Error *local_err = NULL;
 int ret;
+char *backing_fmt = NULL;

 redundancy = qemu_opt_get_del(opts, BLOCK_OPT_REDUNDANCY);
+backing_fmt = qemu_opt_get_del(opts, BLOCK_OPT_BACKING_FMT);
+
+if (backing_fmt && strcmp(backing_fmt, "sheepdog") != 0) {
+error_setg(errp, "backing_file must be a sheepdog image");
+ret = -EINVAL;
+goto fail;
+}

 qdict = qemu_opts_to_qdict(opts, NULL);
 qdict_put_str(qdict, "driver", "sheepdog");
@@ -2228,6 +2236,7 @@ fail:
 qapi_free_BlockdevCreateOptions(create_options);
 qobject_unref(qdict);
 g_free(redundancy);
+g_free(backing_fmt);
 return ret;
 }

@@ -3185,6 +3194,11 @@ static QemuOptsList sd_create_opts = {
 .type = QEMU_OPT_STRING,
 .help = "File name of a base image"
 },
+{
+.name = BLOCK_OPT_BACKING_FMT,
+.type = QEMU_OPT_STRING,
+.help = "Must be 'sheepdog' if present",
+},
 {
 .name = BLOCK_OPT_PREALLOC,
 .type = QEMU_OPT_STRING,
-- 
2.27.0

[PATCH v6 00/10] Tighten qemu-img rules on missing backing format

[Eric Blake]

v5 was here:
https://lists.gnu.org/archive/html/qemu-devel/2020-04/msg00679.html
In v6:
- add a few more patches
- change qcow semantics based on several iterations of mailing list
debates on what behavior is easiest to support
- add iotesting that a probed raw file cannot be committed into
- instead of recording an implicit probed raw file, instead we record
only a non-raw file
- rebase to a few more affected iotests, plus s/5.0/5.1/

Yes, I know this is really short notice to make it in before feature
freeze for 5.1 (removal in 6.0), so it may end up slipping into 5.2
(removal in 6.1); but we'll see how things go.

Also available at
https://repo.or.cz/qemu/ericb.git/shortlog/refs/tags/qemu-img-create-backing-v6

001/10:[down] 'qemu-img: Flush stdout before before potential stderr messages'
002/10:[down] 'block: Finish deprecation of 'qemu-img convert -n -o''
003/10:[] [--] 'sheepdog: Add trivial backing_fmt support'
004/10:[] [--] 'vmdk: Add trivial backing_fmt support'
005/10:[0088] [FC] 'qcow: Tolerate backing_fmt='
006/10:[down] 'block: Error if backing file fails during creation without -u'
007/10:[0004] [FC] 'qcow2: Deprecate use of qemu-img amend to change backing 
file'
008/10:[0059] [FC] 'iotests: Specify explicit backing format where sensible'
009/10:[] [-C] 'block: Add support to warn on backing file change without 
format'
010/10:[0027] [FC] 'qemu-img: Deprecate use of -b without -F'

Eric Blake (10):
  qemu-img: Flush stdout before before potential stderr messages
  block: Finish deprecation of 'qemu-img convert -n -o'
  sheepdog: Add trivial backing_fmt support
  vmdk: Add trivial backing_fmt support
  qcow: Tolerate backing_fmt=
  block: Error if backing file fails during creation without -u
  qcow2: Deprecate use of qemu-img amend to change backing file
  iotests: Specify explicit backing format where sensible
  block: Add support to warn on backing file change without format
  qemu-img: Deprecate use of -b without -F

 docs/system/deprecated.rst| 58 +++
 docs/tools/qemu-img.rst   |  4 ++
 include/block/block.h |  4 +-
 block.c   | 53 +++--
 block/qcow.c  | 20 +++-
 block/qcow2.c |  7 ++-
 block/sheepdog.c  | 18 ++-
 block/stream.c|  2 +-
 block/vmdk.c  | 14 ++
 blockdev.c|  3 +-
 qemu-img.c| 15 --
 tests/qemu-iotests/017|  2 +-
 tests/qemu-iotests/017.out|  2 +-
 tests/qemu-iotests/018|  2 +-
 tests/qemu-iotests/018.out|  2 +-
 tests/qemu-iotests/019|  5 +-
 tests/qemu-iotests/019.out|  2 +-
 tests/qemu-iotests/020|  4 +-
 tests/qemu-iotests/020.out|  4 +-
 tests/qemu-iotests/024|  8 ++--
 tests/qemu-iotests/024.out|  5 +-
 tests/qemu-iotests/028|  4 +-
 tests/qemu-iotests/028.out|  2 +-
 tests/qemu-iotests/030| 26 ---
 tests/qemu-iotests/034|  2 +-
 tests/qemu-iotests/034.out|  2 +-
 tests/qemu-iotests/037|  2 +-
 tests/qemu-iotests/037.out|  2 +-
 tests/qemu-iotests/038|  2 +-
 tests/qemu-iotests/038.out|  2 +-
 tests/qemu-iotests/039|  3 +-
 tests/qemu-iotests/039.out|  2 +-
 tests/qemu-iotests/040| 47 +--
 tests/qemu-iotests/041| 37 ++-
 tests/qemu-iotests/042|  4 +-
 tests/qemu-iotests/043| 18 +++
 tests/qemu-iotests/043.out| 16 ---
 tests/qemu-iotests/046|  2 +-
 tests/qemu-iotests/046.out|  2 +-
 tests/qemu-iotests/049.out|  8 ++--
 tests/qemu-iotests/050|  4 +-
 tests/qemu-iotests/050.out|  2 +-
 tests/qemu-iotests/051|  2 +-
 tests/qemu-iotests/051.out|  2 +-
 tests/qemu-iotests/051.pc.out |  2 +-
 tests/qemu-iotests/054.out|  2 +-
 tests/qemu-iotests/056|  3 +-
 tests/qemu-iotests/060|  2 +-
 tests/qemu-iotests/060.out|  2 +-
 tests/qemu-iotests/061| 10 ++--
 tests/qemu-iotests/061.out| 11 +++--
 tests/qemu-iotests/069|  2 +-
 tests/qemu-iotests/069.out|  2 +-
 tests/qemu-iotests/073|  2 +-
 tests/qemu-iotests/073.out|  2 +-
 tests/qemu-iotests/079.out|  2 +-
 tests/qemu-iotests/082| 10 ++--
 tests/qemu-iotests/082.out| 14 +++---
 tests/qemu-iotests/085|  4 +-
 tests/qemu-iotests/085.out|  6 +--
 tests/qemu-iotests/089|  2 +-
 tests/qemu-iotests/089.out|  2 +-
 tests/qemu-iotests/095|  4 +-
 tests/qemu-iotests/095.out|  4 +-
 tests/qemu-iotests/097|  4 +-
 tests/qemu-iotests/097.out| 16 +++
 tests/qemu-iotests/098|  2 +-
 tests/qemu-iotests/098.out|  8 ++--
 tests/qemu-iotests/110|  4 +-
 tests/qemu-iotests/110.out|  4 +-
 tests/qemu-iotests/111.out|  2 +-
 tests/qemu-iotests/112.out|  4 +-
 tests/qemu-iotests/114| 12 +
 tests/qemu-iotests/114.out|  9

[PATCH v6 02/10] block: Finish deprecation of 'qemu-img convert -n -o'

[Eric Blake]

It's been two releases since we started warning; time to make the
combination an error as promised.  There was no iotest coverage, so
add some.

While touching the documentation, tweak another section heading for
consistent style.

Signed-off-by: Eric Blake 
---
 docs/system/deprecated.rst | 18 --
 qemu-img.c |  4 ++--
 tests/qemu-iotests/122 |  7 +++
 tests/qemu-iotests/122.out |  4 
 4 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/docs/system/deprecated.rst b/docs/system/deprecated.rst
index 47f84be8e09f..73b9d9f37848 100644
--- a/docs/system/deprecated.rst
+++ b/docs/system/deprecated.rst
@@ -418,14 +418,6 @@ kernel in 2018, and has also been dropped from glibc.
 Related binaries
 

-``qemu-img convert -n -o`` (since 4.2.0)
-
-
-All options specified in ``-o`` are image creation options, so
-they have no effect when used with ``-n`` to skip image creation.
-Silently ignored options can be confusing, so this combination of
-options will be made an error in future versions.
-
 Backwards compatibility
 ---

@@ -531,8 +523,8 @@ spec you can use the ``-cpu rv64gcsu,priv_spec=v1.10.0`` 
command line argument.
 Related binaries
 

-``qemu-nbd --partition`` (removed in 5.0.0)
-'''
+``qemu-nbd --partition`` (removed in 5.0)
+'

 The ``qemu-nbd --partition $digit`` code (also spelled ``-P``)
 could only handle MBR partitions, and never correctly handled logical
@@ -548,6 +540,12 @@ can be rewritten as::

   qemu-nbd -t --image-opts 
driver=raw,offset=1M,size=100M,file.driver=qcow2,file.file.driver=file,file.file.filename=file.qcow2

+``qemu-img convert -n -o`` (removed in 5.1)
+'''
+
+All options specified in ``-o`` are image creation options, so
+they are now rejected when used with ``-n`` to skip image creation.
+
 Command line options
 

diff --git a/qemu-img.c b/qemu-img.c
index bdb9f6aa46a3..9efe1f13482b 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -2369,8 +2369,8 @@ static int img_convert(int argc, char **argv)
 }

 if (skip_create && options) {
-warn_report("-o has no effect when skipping image creation");
-warn_report("This will become an error in future QEMU versions.");
+error_report("-o has no effect when skipping image creation");
+goto fail_getopt;
 }

 if (s.has_zero_init && !skip_create) {
diff --git a/tests/qemu-iotests/122 b/tests/qemu-iotests/122
index f7a3ae684a7c..2dc16b2ca484 100755
--- a/tests/qemu-iotests/122
+++ b/tests/qemu-iotests/122
@@ -290,6 +290,13 @@ TEST_IMG="$TEST_IMG".orig _make_test_img 64M
 # backing file"
 $QEMU_IMG convert -O $IMGFMT -B "$TEST_IMG".base -n "$TEST_IMG" 
"$TEST_IMG".orig

+echo
+echo '=== -n incompatible with -o ==='
+echo
+
+$QEMU_IMG convert -O $IMGFMT -o preallocation=metadata -n \
+ "$TEST_IMG" "$TEST_IMG".orig && echo "unexpected success"
+
 # success, all done
 echo '*** done'
 rm -f $seq.full
diff --git a/tests/qemu-iotests/122.out b/tests/qemu-iotests/122.out
index 1a35951a80a8..c2e154a1e556 100644
--- a/tests/qemu-iotests/122.out
+++ b/tests/qemu-iotests/122.out
@@ -233,4 +233,8 @@ Images are identical.

 Formatting 'TEST_DIR/t.IMGFMT.base', fmt=IMGFMT size=67108864
 Formatting 'TEST_DIR/t.IMGFMT.orig', fmt=IMGFMT size=67108864
+
+=== -n incompatible with -o ===
+
+qemu-img: -o has no effect when skipping image creation
 *** done
-- 
2.27.0

Re: [PATCH v3 00/19] mailmap: Add more entries to sanitize 'git log' output

[Ed Maste]

On Thu, 2 Jul 2020 at 14:12,  wrote:
>
> Patchew URL: https://patchew.org/QEMU/20200702173818.14651-1-f4...@amsat.org/
>
> Hi,
>
> This series failed build test on FreeBSD host. Please find the details below.

I had a look at this (because it's a FreeBSD report); it appears to
have been a temporary connectivity issue.

> fatal: unable to access 'https://github.com/patchew-project/qemu/': Failed 
> connect to github.com:443; Connection timed out

Re: [PATCH v7 1/8] mac_oldworld: Allow loading binary ROM image

[Mark Cave-Ayland]

On 05/07/2020 08:31, David Gibson wrote:

> On Tue, Jun 30, 2020 at 11:45:42PM +0200, BALATON Zoltan wrote:
>> On Tue, 30 Jun 2020, Mark Cave-Ayland wrote:
>>> On 29/06/2020 19:55, BALATON Zoltan wrote:
 The beige G3 Power Macintosh has a 4MB firmware ROM. Fix the size of
 the rom region and fall back to loading a binary image with -bios if
 loading ELF image failed. This allows testing emulation with a ROM
 image from real hardware as well as using an ELF OpenBIOS image.

 Signed-off-by: BALATON Zoltan 
 ---
 v4: use load address from ELF to check if ROM is too big

  hw/ppc/mac_oldworld.c | 29 -
  1 file changed, 20 insertions(+), 9 deletions(-)

 diff --git a/hw/ppc/mac_oldworld.c b/hw/ppc/mac_oldworld.c
 index f8c204ead7..baf3da6f90 100644
 --- a/hw/ppc/mac_oldworld.c
 +++ b/hw/ppc/mac_oldworld.c
 @@ -59,6 +59,8 @@
  #define NDRV_VGA_FILENAME "qemu_vga.ndrv"

  #define GRACKLE_BASE 0xfec0
 +#define PROM_BASE 0xffc0
 +#define PROM_SIZE (4 * MiB)

  static void fw_cfg_boot_set(void *opaque, const char *boot_device,
  Error **errp)
 @@ -99,6 +101,7 @@ static void ppc_heathrow_init(MachineState *machine)
  SysBusDevice *s;
  DeviceState *dev, *pic_dev;
  BusState *adb_bus;
 +uint64_t bios_addr;
  int bios_size;
  unsigned int smp_cpus = machine->smp.cpus;
  uint16_t ppc_boot_device;
 @@ -127,24 +130,32 @@ static void ppc_heathrow_init(MachineState *machine)

  memory_region_add_subregion(sysmem, 0, machine->ram);

 -/* allocate and load BIOS */
 -memory_region_init_rom(bios, NULL, "ppc_heathrow.bios", BIOS_SIZE,
 +/* allocate and load firmware ROM */
 +memory_region_init_rom(bios, NULL, "ppc_heathrow.bios", PROM_SIZE,
 &error_fatal);
 +memory_region_add_subregion(sysmem, PROM_BASE, bios);

 -if (bios_name == NULL)
 +if (!bios_name) {
  bios_name = PROM_FILENAME;
 +}
  filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, bios_name);
 -memory_region_add_subregion(sysmem, PROM_ADDR, bios);
 -
 -/* Load OpenBIOS (ELF) */
  if (filename) {
 -bios_size = load_elf(filename, NULL, 0, NULL, NULL, NULL, NULL, 
 NULL,
 - 1, PPC_ELF_MACHINE, 0, 0);
 +/* Load OpenBIOS (ELF) */
 +bios_size = load_elf(filename, NULL, NULL, NULL, NULL, &bios_addr,
 + NULL, NULL, 1, PPC_ELF_MACHINE, 0, 0);
 +if (bios_size <= 0) {
 +/* or load binary ROM image */
 +bios_size = load_image_targphys(filename, PROM_BASE, 
 PROM_SIZE);
 +bios_addr = PROM_BASE;
 +} else {
 +/* load_elf sets high 32 bits for some reason, strip those */
 +bios_addr &= 0xULL;
>>>
>>> Repeating my earlier comment from v5: something is wrong here if you need 
>>> to manually
>>> strip the high bits. If you compare with SPARC32 which uses the same 
>>> approach, there
>>> is no such strip required - have a look there to try and figure out what's 
>>> going on here.
>>
>> OK, the problem here is this:
>>
>> $ gdb qemu-system-ppc
>> (gdb) b mac_oldworld.c:146
>> Breakpoint 1 at 0x416770: file hw/ppc/mac_oldworld.c, line 146.
>> (gdb) r
>> Thread 1 "qemu-system-ppc" hit Breakpoint 1, ppc_heathrow_init 
>> (machine=0x56863800) at hw/ppc/mac_oldworld.c:146
>> 146  filename = qemu_find_file(QEMU_FILE_TYPE_BIOS, bios_name);
>> (gdb) n
>> 147  if (filename) {
>> 149  bios_size = load_elf(filename, NULL, NULL, NULL, NULL, 
>> &bios_addr,
>> 151  if (bios_size <= 0) {
>> (gdb) p bios_size
>> $1 = 755500
>> (gdb) p/x bios_addr
>> $2 = 0xfff0
>>
>> this happens within load_elf that I don't feel like wanting to debug but
>> causes problem when we use it to calculate bios size later here:
> 
> I think the problem is here, in include/hw/elf_ops.h:
> 
> if (lowaddr)
> *lowaddr = (uint64_t)(elf_sword)low;
> 
> "low" is a u64, but for a 32-bit ELF file, which is what I'm guessing
> you're dealing with here, elf_sword is an int32_t.  So the first cast
> truncates the high bits, but makes it a signed value, so the second
> cast sign extends, resulting in those high bits.
> 
> Sign extending rather than zero-extending seems a dubious choice here,
> so I wonder if that should be (elf_word) instead of (elf_sword).  But
> maybe there's some weird other case where we do want the sign
> extension here.

I agree that sign-extending here feels odd since it will cause problems with 
32-bit
values on 64-bit systems like we see here, however I'm not really familiar 
enough
with the QEMU ELF loader to know what the intent was here.

The original reference

[PATCH] target/arm: Fix mtedesc for do_mem_zpz

[Richard Henderson]

The mtedesc that was contructed was not actually passed in.
Found by Coverity (CID 1429996).

Fixes: d28d12f008e
Signed-off-by: Richard Henderson 
---
 target/arm/translate-sve.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index 08f0fd15b2..88a2fb271d 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -5275,7 +5275,7 @@ static void do_mem_zpz(DisasContext *s, int zt, int pg, 
int zm,
 desc = FIELD_DP32(desc, MTEDESC, ESIZE, 1 << msz);
 desc <<= SVE_MTEDESC_SHIFT;
 }
-desc = simd_desc(vsz, vsz, scale);
+desc = simd_desc(vsz, vsz, desc | scale);
 t_desc = tcg_const_i32(desc);
 
 tcg_gen_addi_ptr(t_pg, cpu_env, pred_full_reg_offset(s, pg));
-- 
2.25.1

Re: [PATCH 02/13] qcow2: introduce icount field for snapshots

[Eric Blake]

On 6/26/20 5:19 AM, Pavel Dovgalyuk wrote:

From: Pavel Dovgalyuk 

This patch introduces the icount field for saving within the snapshot.
It is required for navigation between the snapshots in record/replay mode.

Signed-off-by: Pavel Dovgalyuk 
Acked-by: Kevin Wolf 
---
  0 files changed



That's an odd diffstat; you may want to investigate why git isn't 
showing the usual diffstat that makes it easier to see which files are 
touched and the relative size of the changes.




+++ b/docs/interop/qcow2.txt
@@ -645,6 +645,11 @@ Snapshot table entry:
  
  Byte 48 - 55:   Virtual disk size of the snapshot in bytes
  
+Byte 56 - 63:   icount value which corresponds to

+the record/replay instruction count
+when the snapshot was taken. Set to -1
+if icount was disabled
+
  Version 3 images must include extra data at least up to
  byte 55.


Should we have additional text here, similar to what was added to the 
overall header in 3ae3fcfa, about how to properly add additional 
optional fields while maintaining back-compat considerations?  Maybe 
just a one sentence reference that the rules in that section apply here too?


--
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

[PATCH 0/4] fuzz: misc patches

[Alexander Bulekov]

Hi,
This removes ASan from the default build of the device fuzzer (it can be
enabled using --enable-sanitizers) and adds some content to the
documentation.

This set also contains a respin of this patch:
https://patchew.org/QEMU/20200524143738.23218-1-alx...@bu.edu/

Thanks
-Alex

Alexander Bulekov (4):
  fuzz: build without AddressSanitizer, by default
  docs/fuzz: describe building fuzzers with enable-sanitizers
  docs/fuzz: add information about useful libFuzzer flags
  docs/fuzz: add instructions for generating a coverage report

 configure  | 10 +++
 docs/devel/fuzzing.txt | 63 --
 2 files changed, 66 insertions(+), 7 deletions(-)

-- 
2.26.2